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Preface 


ASIACRYPT 2000 was the sixth annual ASIACRYPT conference. It was spon- 
sored by the International Association for Cryptologic Research (IACR) in co- 
operation with the Institute of Electronics, Information, and Communication 
Engineers (IEICE). 

The first conference with the name ASIACRYPT took place in 1991, and the 
series of ASIACRYPT conferences were held in 1994, 1996, 1998, and 1999, in 
cooperation with IACR. ASIACRYPT 2000 was the first conference in the series 
to be sponsored by IACR. 

The conference received 140 submissions (1 submission was withdrawn by 
the authors later), and the program committee selected 45 of these for presenta- 
tion. Extended abstracts of the revised versions of these papers are included in 
these proceedings. The program also included two invited lectures by Thomas 
Berson (Cryptography Everywhere: IACR Distinguished Lecture) and Hideki 
Imai (CRYPTREC Project - Cryptographic Evaluation Project for the Japanese 
Electronic Government). Abstracts of these talks are included in these proceed- 
ings. 

The conference program also included its traditional “rump session” of short, 
informal or impromptu presentations, kindly chaired by Moti Yung. Those pre- 
sentations are not reflected in these proceedings. 

The selection of the program was a challenging task as many high quality 
submissions were received. The program committee worked very hard to evaluate 
the papers with respect to quality, originality, and relevance to cryptography. 

I am extremely grateful to the program committee members for their enor- 
mous investment of time and effort in the difficult and delicate process of review 
and selection. 

I gratefully acknowledge the help of a large member of colleagues who re- 
viewed submissions in their area of expertise: Masayuki Abe, Harald Baier, 
Olivier Baudron, Mihir Bellare, John Black, Michelle Boivin, Seong-Taek Chee, 
Ronald Cramer, Claude Crepeau, Pierre-Alain Fouque, Louis Granboulan, Sa- 
fuat Hamdy, Goichiro Hanaoka, Birgit Henhapl, Mike Jacobson, Masayuki Kanda, 
Jonathan Katz, Dennis Kuegler, Dong-Hoon Lee, Markus Maurer, Bodo Moeller, 
Phong Nguyen, Satoshi Obana, Thomas Pfahler, John O. Pliam, David Pointch, 
Guillaume Poupard, Junji Shikata, Holger Vogt, Ullrich Vollmer, Yuji Watanabe, 
Annegret Weng, and Seiji Yoshimoto. 

An electronic submission process was available and recommended. I would 
like to thank Kazumaro Aoki, who did an excellent job in running the electronic 
submission system of the ACM SIGACT group and in making a support system 
for the review process of the PC members. Special thanks to many people who 
supported him: Seiichiro Hangai and Christian Cachin for their web page sup- 
ports, Joe Kilian for giving him a MIME parser, Steve Tate for supporting the 
SIGACT package, Wim Moreau for consulting their electronic review system, 
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and Masayuki Abe for scanning non-electronic submissions. Special thanks go 
to Mami Yamaguchi and Junko Taneda for their support in arranging review 
reports and editing these proceedings. 

I would like to thank Tsutomu Matsumoto, general chair, and the members of 
organizing committee: Seiichiro Hangai, Shouichi Hirose, Daisuke Inoue, Keiichi 
Iwamura, Masayuki Kanda, Toshinobu Kaneko, Shinichi Kawamura, Michiharu 
Kudo, Hidenori Kuwakado, Masahiro Mambo, Mitsuru Matsui, Natsume Mat- 
suzaki, Atsuko Miyaji, Shiho Moriai, Eiji Okamoto, Kouichi Sakurai, Fumihiko 
Sano, Atsushi Shimbo, Takeshi Shimoyama, Hiroki Shizuya, Nobuhiro Tagashira, 
Kazuo Takaragi, Makoto Tatebayashi, Toshio Tokita, Naoya Torii. We are es- 
pecially grateful to Shigeo Tsujii and Hideki Imai for their great support of the 
organizing committee. 

The organizing committee gratefully acknowledges the financial contributions 
of the two organizations, Initiatives in Research of Information Security (IRIS) 
and the Telecommunications Advancement Organization (TAF), as well as many 
companies. 

I wish to thank all the authors who by submitting papers made this confer- 
ence possible, and the authors of accepted papers for their cooperation. 

Finally, I would like to dedicate these proceedings to the memory of Kenji 
Koyama, who passed away in March 2000. He was 50 years old. He was one 
of the main organizers of the first ASIACRYPT conference held in Japan in 
1991, and devoted himself to make IACR the sponsor of ASIACRYPT. He was 
looking forward to ASIACRYPT 2000 very much, since it was the first of the 
ASIACRYPT conference series sponsored by IACR. May he rest in peace. 


September 2000 


Tatsuaki Okamoto 
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Cryptanalytic Time/Memory /Data Tradeoffs for 
Stream Ciphers 


Alex Biryukov and Adi Shamir 


Computer Science Department 
The Weizmann Institute 
Rehovot 76100, Israel. 


Abstract. In 1980 Heilman introduced a general technique for breaking 
arbitrary block ciphers with N possible keys in time T and memory M 
related by the tradeoff curve TM 2 = N 2 for 1 < T < N. Recently, 
Babbage and Golic pointed out that a different TM = N tradeoff attack 
for 1 < T < D is applicable to stream ciphers, where D is the amount 
of output data available to the attacker. In this paper we show that a 
combination of the two approaches has an improved time/memory /data 
tradeoff for stream ciphers of the form TM 2 D 2 = N 2 for any D 2 < 

T < N. In addition, we show that stream ciphers with low sampling 
resistance have tradeoff attacks with fewer table lookups and a wider 
choice of parameters. 

Keywords: Cryptanalysis, stream ciphers, time/memory tradeoff at- 
tacks. 

1 Introduction 

There are two major types of symmetric cryptosystems: Block ciphers (which 
encrypt a plaintext block into a ciphertext block by mixing it in an invertible 
way with a fixed key), and stream ciphers (which use a finite state machine 
initialized with the key to produce a long pseudo random bit string, which is 
XOR’ed with the plaintext to obtain the ciphertext). 

Block and stream ciphers have different design principles, different attacks, 
and different measures of security. The open cryptanalytic literature contains 
many papers on the resistance of block ciphers to differential and linear attacks, 
on their avalanche properties, on the properties of Feistel or S-P structures, 
on the design of S-boxes and key schedules, etc. The relatively few papers on 
stream ciphers tend to concentrate on particular ciphers and on particular at- 
tacks against them. Among the few unifying ideas in this area are the use of linear 
feedback shift registers as bit generators, and the study of the linear complexity 
and correlation immunity of the ciphers. 

In this paper we concentrate on a general type of cryptanalytic attack known 
as a time/memory tradeoff attack. Such an attack has two phases: During the 
preprocessing phase (which can take a very long time) the attacker explores the 
general structure of the cryptosystem, and summarizes his findings in large tables 
(which are not tied to particular keys). During the realtime phase, the attacker 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 1-13, 2000. 
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is given actual data produced from a particular unknown key, and his goal is to 
use the precomputed tables in order to find the key as quickly as possible. 

In any time-memory tradeoff attack there are five key parameters: 

— N represents the size of the search space. 

— P represents the time required by the preprocessing phase of the attack. 

— M represents the amount of random access memory (in the form of hard 

disks or DVD’s) available to the attacker. 

— T represents the time required by the realtime phase of the attack. 

— D represents the amount of realtime data available to the attacker. 

2 Tradeoff Attacks on Block and Stream Ciphers 

In the case of block ciphers, the size N of the search space is the number of 
possible keys. We assume that the number of possible plaintexts and ciphertexts 
is also N, and that the given data is a single ciphertext block produced from a 
fixed chosen plaintext block. The best known time/memory tradeoff attack is due 
to Heilman [5]. It uses any combination of parameters which satisfy the following 
relationships: TM 2 = N 2 , P = N, D = 1 (see Section 3 for further details). The 
optimal choice of T and M depends on the relative cost of these computational 
resources. By choosing T = M, Heilman gets the particular tradeoff point T = 
N 2 / 3 and M = N 2 / 3 . 

Heilman’s attack is applicable to any block cipher whose key to ciphertext 
mapping (for a fixed plaintext) behaves as a random function / over a space of 
N points. If this function happens to be an invertible permutation, the tradeoff 
relation becomes TM = N, which is even better. An interesting property of 
Heilman’s attack is that even if the attacker is given a large number D of chosen 
plaintext/ciphertext pairs, it is not clear how to use them in order to improve 
the attack. 

Stream ciphers have a very different behavior with respect to time/memory 
tradeoff attacks. The size N of the search space is determined by the number 
of internal states of the bit generator, which can be different from the number 
of keys. The realtime data typically consists of the first D pseudorandom bits 
produced by the generator, which are computed by XOR’ing a known plaintext 
header and the corresponding ciphertext bits (there is no difference between a 
known and a chosen plaintext attack in this case). The goal of the attacker is to 
find at least one of the actual states of the generator during the generation of 
this output, after which he can run the generator forwards an unlimited number 
of steps, produce all the later pseudorandom bits, and derive the rest of the 
plaintext. Note that in this case there is no need to run the generator backwards 
or to find the original key, even though this is doable in many practical cases. 

The simplest time/memory tradeoff attack on stream ciphers was indepen- 
dently described by Babbage [2] and Golic [4], and will be referred to as the BG 
attack. It associates with each one of the N possible states of the generator the 
string consisting of the first log(N) bits produced by the generator from that 
state. This mapping f(x) = y from states x to output prefixes y can be viewed as 
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a random function over a common space of TV points, which is easy to evaluate 
but hard to invert. The goal of the attacker is to invert it on some substring 
of the given output, in order to recover the corresponding internal state. The 
preprocessing phase of the attack picks M random x t states, computes their 
corresponding y t output prefixes, and stores all the ( Xi,yi ) pairs in a random 
access memory, sorted into increasing order of y , . The realtime phase of the at- 
tack is given a prefix of D + log(N) — 1 generated bits, and derives from it all 
the D possible windows y\ . y- 2 , ..., yn of log(N) consecutive bits (with overlaps). 
It lookups each yj from the data in logarithmic time in the sorted table. If at 
least one yj is found in the table, its corresponding Xj makes it possible to de- 
rive the rest of the plaintext by running the generator forwards from this known 
state 1 . The threshold of success for this attack can be derived from the birth- 
day paradox, which states that two random subsets of a space with TV points 
are likely to intersect when the product of their sizes exceeds TV. If we ignore 
logarithmic factors, this condition becomes DM = TV where the preprocessing 
time is P = M and the attack time is T = D. This represents one particular 
point on the time/memory tradeoff curve TM = TV. By ignoring some of the 
available data during the actual attack, we can reduce T from D towards 1, and 
thus generalize the tradeoff to TM = TV and P = M for any 1 < T < D. 

This TM = TV tradeoff is similar to Heilman’s TM = TV tradeoff for random 
permutations and better than Heilman’s TM 2 = TV 2 tradeoff for random func- 
tions (when T = M we get T = M = TV 1 / 2 instead of T = M = TV 2 / 3 ). However, 
this formal comparison is misleading since the two tradeoffs are completely dif- 
ferent: they are applicable to different types of cryptosystems (stream vs. block 
ciphers), are valid in different parameter ranges (1 < T < D vs. 1 < T < TV), 
and require different amounts of data (about D bits vs. a single chosen plain- 
text/ciphertext pair). 

To understand the fundamental difference between tradeoff attacks on block 
ciphers and on stream ciphers, consider the problem of using a large value of 
D to speed up the attack. The mapping defined by a block cipher has two 
inputs (key and plaintext block) and one output (ciphertext block). Since each 
precomputed table in Heilman’s attack on block ciphers is associated with a 
particular plaintext block, we cannot use a common table to simultaneously 
analyse different ciphertext blocks (which are necessarily derived from different 
plaintext blocks during the lifetime of a single key). The mapping defined by a 
stream cipher, on the other hand, has one input (state) and one output (an ouput 
prefix), and thus has a single “flavour”: When we try to invert it on multiple 
output prefixes, we can use the same precomputed tables in all the attempts. 
As a result, tradeoff attacks on stream ciphers can be much more efficient than 
tradeoff attacks on block ciphers when D is large, but this possibility had not 
been explored so far in the research literature. 


1 Note that yj may have multiple predecessors, and thus Xj may be different from the 

state we look for. However, it can be shown that these “false alarms” increase the 

complexity of the attack by only a small constant factor. 



Alex Biryukov and Adi Shamir 


3 Combining the Two Tradeoff Attacks 

In this section we show that it is possible to combine the two types of tradeoff 
attacks to obtain a new attack on stream ciphers whose parameters satisfy the 
relation P = N/D and TM 2 D 2 = N 2 for any D 2 < T < N. A typical point 
on this tradeoff relation is P = A’ 2 / 3 preprocessing time, T = N 2 / 3 attack 
time, M = N 1 / 3 disk space, and D = TV 1 / 3 available data. For N = 2 100 the 
parameters P = T = 2 66 and M = D = 2 33 are all (barely) feasible, whereas the 
Heilman attack with T = M = N 2 1 3 = 2 66 requires an unrealistic amount of disk 
space M, and the BG attack with T=D = N 2 / 3 = 2 66 and M = N 1 / 3 = 2 33 
requires an unrealistic amount of data D. 


3.1 Heilman’s Time/Memory Tradeoff Attack on Block Ciphers 

The starting point of the new attack on stream ciphers is Heilman’s original 
tradeoff attack on block ciphers, which considers the random function / that 
maps the key x to the ciphertext block y for some fixed chosen plaintext. This / is 
easy to evaluate but hard to invert, since the problem of computing x = f~ 1 (y ) is 
exactly the cryptanalytic problem of deriving the key x from the given ciphertext 
block y. 

To perform this difficult inversion of / with an algorithm which is faster than 
exhaustive search, Heilman uses a preprocessing stage which tries to cover the N 
points of the space with a rectangular mxf matrix whose rows are long paths ob- 
tained by iterating the function / t times on m randomly chosen starting points. 
The startpoints are described by the leftmost column of the matrix, and the 
corresponding endpoints are described by the rightmost column of the matrix 
(see Fig. 1). The output of the preprocessing stage is the collection of (start- 
point, endpoint) pairs of all the chosen paths, sorted into increasing endpoint 
values. During the actual attack, we are given a value y and are asked to find its 
predecessor x under /. If this x is covered by one of the precomputed paths, the 
algorithm repeatedly applies f to y until it reaches the stored endpoint, jumps 
to its associated startpoint, and repeatedly applies / to the startpoint until it 
reaches y again. The previous point it visits is the desired x. 

A single matrix cannot efficiently cover all the N points, (in particular, the 
only way we can cover the approximately N/ e leaves of a random directed graph 
is to choose them as starting points). As we add more rows to the matrix, 
we reach a situation in which we start to re-cover points which are already 
covered, which makes the coverage increasingly wasteful. To find this critical 
value of m, assume that the first m paths are all disjoint, but the next path 
has a common point with one of the previous paths. The first m paths contain 
exactly mt distinct points (since they are assumed to have no repetitions), and 
the additional path is likely to contain exactly t distinct points (assuming that t 
is less than \/N). By the birthday paradox, the two sets are likely to be disjoint 
as long as t ■ mt < N, and thus we choose m and t which satisfy the relation 
mt 2 = N, which we call the matrix stopping rule. 
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Fig. 1. Heilman’s Matrix 


A single m x t matrix with mt 2 = N covers only a fraction of mt/N = 
1/t of the space, and thus we need t “unrelated” matrices to cover the whole 
space. Heilman’s great insight was the observation that we can use variants /* 
of the original / defined by fi(x) = where h t is some simple output 

modification (e.g., reordering the bits of fix)). These modified variants of / 
have the following properties: 

1. The points in the matrices of and fj for i j are essentially independent, 
since the existence of a common point in two different matrices does not 
imply that subsequent points on the two paths must also be equal. Conse- 
quently, the union of t matrices (each covering mt points) is likely to contain 
a fixed fraction of the space. 

2. The problem of computing x from the given y = f(x) can be solved by 
inverting any one of the modified functions /j over the modified point y t = 
fi(x) = hi(f(x). 

3. The value of y, = fi(x) can be computed even when we do not know x by 
applying hi to the given y = f(x). 

The total precomputation requires P « N time, since we have to cover a 
fixed fraction of the space in all the precomputed paths. Each matrix covers 
mt points, but can be stored in m memory locations since we only keep the 
startpoint and endpoint of each path. The total memory required to store the 
t matrices is thus M = mt. The given y is likely to be covered by only one of 
the precomputed matrices, but since we do not know where it is located we have 
to perform t inversion attempts, each requiring t evaluations of some /j. The 
total time complexity of the actual attack is thus T = t 2 . To find the tradeoff 
curve between T and M, we use the matrix stopping rule mt 2 = N to conclude 
that TM 2 = t 2 ■ m 2 t 2 = N 2 . Note that in this tradeoff formula the time T can 
be anywhere in the range 1 < T < N, but the space M should be restricted 
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to TV 1 / 2 < M < N, since otherwise T > N and thus the attack is slower than 
exhaustive search. 


3.2 An Improved Attack on Stream Ciphers 

As explained earlier in this paper, the main difference between tradeoff attacks 
on block ciphers and on stream ciphers is that in a block cipher each given 
ciphertext requires the inversion of a different function, whereas in a stream 
cipher all the given output prefixes can be inverted with respect to the same 
function by using the same precomputed tables. 

To adapt Heilman’s attack from block ciphers to stream ciphers, we use the 
same basic approach of covering the N points by matrices defined by multi- 
ple variants /* of the function / which represents the state to prefix mapping. 
Note that partially overlapping prefixes do not necessarily represent neighboring 
points in the graph defined by the iterations of /, and thus they can be viewed 
as unrelated random points in the graph. The attack is successful if any one 
of the D given output values is found in any one of the matrices, since we can 
then find some actual state of the generator which can be run forward beyond 
the known prefix of output bits. We can thus reduce the total number of points 
covered by all the matrices from about N to N/D points, and still get (with 
high probability) a collision between the stored and actual states. 

There are two possible ways to reduce the number of states covered by the 
matrices: By making each matrix smaller, or by choosing fewer matrices. Since 
each evaluation step of fa adds m states to the coverage, it is wasteful to choose m 
or t which are smaller than the maximum values allowed by the matrix stopping 
rule mt 2 = N. Our new tradeoff thus keeps each matrix as large as possible, 
and reduces the number of matrices from t to t/D in order to decrease the total 
coverage of all the matrices by a factor of D. However, this is possible only when 
t> D, since if we try to reduce the number of tables to less than 1, we are forced 
to use suboptimal values of m and t, and thus enter a less efficient region of the 
tradeoff curve. 

Each matrix in the new attack requires the same storage size m as before, 
but the total memory required to store all the matrices is reduced from M = mt 
to M = mt/D. The total preprocessing time is similarly reduced from P = N to 
P = N/D, since we have to evaluate only 1/D of the previous number of paths. 
The attack time T is the product of the number of matrices, the length of each 
path, and the number of available data points, since we have to iterate each one 
of the t/D functions fa on each one of the D given output prefixes up to t times. 
This product is T = t 2 , which is the same as in Heilman’s original attack. 

To find the time/memory/data tradeoff in this attack, we again use the ma- 
trix stopping rule mt 2 = N in order to eliminate the parameters m and t from 
the various expressions. The preprocessing time is P = N/D, which is already 
free from these parameters. The time T = t 2 , memory M = mt/D, and data D 
clearly satisfy the invariant relationship: 

TM 2 D 2 = t 2 • ( m 2 t 2 /D 2 ) • D 2 = m 2 f 4 = N 2 
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This relationship is valid for any t > D, and thus for any D 2 < T < N . In 
particular, we can use the parameters P = T = N 2 / 3 , M = D = TV 1 / 3 , which 
seems to be practical for N up to about 100. 

4 Time/Memory/Data Tradeoff Attacks with Sampling 

One practical problem with tradeoff attacks is that random access to a hard 
disk requires about 8 milliseconds, whereas a computational step on a fast PC 
requires less than 2 nanoseconds. This speed ratio of four million makes it crucial 
to minimize the number of disk operations we perform, in addition to reducing 
the number of evaluations of /*. An old idea due to Ron Rivest was to reduce 
the number of table lookups in Heilman’s attack by defining a subset of special 
points whose names start with a fixed pattern such as k zero bits. 

Special points are easy to generate and to recognize. During the preprocessing 
stage of Heilman’s attack, we start each path from a randomly chosen point, and 
stop it only when we encounter another special point (or enter a loop, which is 
unlikely when t < \/N). Consequently, we know that the disk contains only 
special endpoints. If we choose k = log(t), the expected length of each path 
remains t (with some variability), and the set of mt endpoints we store in all the 
t tables contains a large fraction of the N/t possible special points. 

The main advantage of this approach is that during the actual attack, we 
have to perform only one expensive disk operation per path (when we encounter 
the first special point on it). The number of evaluations of _/) remains T = t 2 , 
but the number of disk operations is reduced from t 2 to t, which makes a huge 
practical difference. 

Can we use a similar sampling of special points in tradeoff attacks on stream 
ciphers? Consider first the case of the BG tradeoff with TM = N, P = M, 
and 1 < T < D. We say that an output prefix is special if it starts with a 
certain number of zero bits, and that a state of the stream cipher is special if 
it generates a special output prefix. We would like to store in the disk during 
preprocessing only special pairs of (state, output prefix). Unlike the case of 
Heilman’s attack (where special states appeared on sufficiently long paths with 
reasonable probability, and acted as natural path terminators), in the BG attack 
we deal with degenerate paths of length 1 (from a state to its immediate output 
prefix), and thus we have to use trial and error in order to find special states. 

Assume that the ratio between the number of special states and all the states 
is R, where 0 < R < 1. Then to find the M special states we would like to store 
during preprocessing, we have to try a much larger number M/R of random 
states, which increases the preprocessing time from P = M to P = M/R. The 
attack time reduces from T = D to T = DR, since only the special points in the 
given data (which are very easy to spot) have to be looked up in the disk. To 
make it likely to have a collision between the M special states stored in the disk 
and the DR special states in the data, we have to apply the birthday paradox 
to the smaller set of NR special states to obtain MDR = NR. The invariant 
satisfied for all the possible values of R is thus 
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TP = MD = N for 1 < T < D 

An interesting consequence of this tradeoff formula is that the sampling tech- 
nique had turned the original BG time/memory tradeoff ( TM = N) into two 
independent time/preprocessing (TP = N) and memory/data (MD = N ) trade- 
offs, which are controlled by the three parameters m, t, and R. For N = 2 100 
the first condition is easy to satisfy, since both the preprocessing time P and the 
actual time T can be chosen as 2 50 . However, the second condition is completely 
unrealistic, since neither the memory M nor the data D can exceed 2 40 . 

We now describe the effect of this sampling technique on the new tradeoff 
TM 2 D 2 = N 2 described in the previous subsection. The main difference between 
Heilman’s original attack on block ciphers and the modified attack on stream 
ciphers is that we use a smaller number t/D of tables, and force T to satisfy 
T > D 2 . Unlike the case of the BG attack, the preprocessing complexity remains 
unchanged as N/D, since we do not need any trial and error to pick the random 
startpoints, and simply wait for the special endpoints to occur randomly dur- 
ing our path evaluation. The total memory required to store the special points 
remains unchanged at M = mt/D. The total time T consists of t 2 evaluations 
of the fi functions but only t disk operations. We can thus conclude that the 
resultant time/memory/data tradeoff remains unchanged as TM 2 D 2 = N 2 for 
T > D 2 , but we gain by reducing the number of expensive disk operations by a 
factor of t. Rivest’s sampling idea thus has no asymptotic effect on Hellman-like 
tradeoff curves for block and stream ciphers, but drastically changes the BG 
tradeoff curve for stream ciphers. 

5 Tradeoff Attacks on Stream Ciphers with Low 
Sampling Resistance 

The T M 2 D 2 = N 2 tradeoff attack has feasible time, memory and data require- 
ments even for N = 2 100 . However, values of D > 2 25 make each inversion attack 
very time consuming, since small values of T are not allowed by the T > D 2 
condition, while large values of T do not benefit in practice from the Rivest 
sampling idea (since the T = evaluations of fy functions dominate the s/T disk 
operations). 

At FSE 2000, Biryukov, Shamir and Wagner [3] introduced a different notion 
of sampling, which will be called BSW sampling. It was used in [3] to attack the 
specific stream cipher A5/1, but that paper did not analyse its general impact 
on the various tradeoff formulas. In this paper we show that by using BSW 
sampling, we can make the new TM 2 D 2 = N 2 tradeoff applicable with a larger 
choice of possible T values and a smaller number of disk operations. 

The basic idea behind BSW sampling is that in many stream ciphers, the 
state undergoes only a limited number of simple transformations before emitting 
its next output bit, and thus it is possible to enumerate all the special states 
which generate k zero bits for a small value of k without expensive trial and 
error (especially when each output bit is determined by few state bits) . This is 
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almost always possible for k = 1, but gets increasingly more difficult when we 
try to force a larger number of output bits to have specific values. The sampling 
resistance of a stream cipher is defined as R = 2~ k where k is the maximum 
value for which this direct enumeration is possible. Stream ciphers were never 
designed to resist this new kind of sampling, and their sampling resistance can 
serve as a new quantifiable design-sensitive security measure. In the case of A5/1, 
Biryukov Shamir and Wagner show that it is easy to directly enumerate the 2 48 
out of the 2 64 states whose outputs start with 16 zeroes, and thus the sampling 
resistance of A5/1 is at most 2 -16 . Note that BSW sampling is not applicable 
at all to block ciphers, since their thorough mixing of keys and plaintexts makes 
it very difficult to enumerate without trial and error all the keys which lead to 
ciphertexts with a particular pattern of k bits during the encryption of some 
fixed plaintext. 

An obvious advantage of BSW sampling over Rivest sampling is that in the 
BG attack we can reduce the attack time T by a factor of R without increasing 
the preprocessing time P. We now describe how to apply the BSW sampling 
idea to the improved tradeoff attack TM 1 2 D 2 = N 2 . 

Consider a stream cipher with N = 2" states. Each state has a full name 
of n bits, and an output name which consists of the first n bits in its output 
sequence. If the cipher has sampling resistance R = 2~ k , we can associate with 
each special state a short name of n — k bits (which is used by the efficient 
enumeration procedure to define this special state), and a short output of 
n — k bits (which is the output name of the special state without the k leading 
zeroes). We can thus define a new random mapping over a reduced space of 
NR = 2 n ~ k points, where each point can be viewed as either a short name 
or a short output. The mapping from short names to short outputs is easy to 
evaluate (by expanding the short names of special states to full names, running 
the generator, and discarding the k leading zeroes), and its inversion is equivalent 
to the original cryptanalytic problem restricted to special states. 

We assume that DR > 1, and thus the available data contains at least one 
output which corresponds to some special state (if this is not the case we simply 
relax the definition of special states). We try to find the short name of any one 
of these DR special states by applying our TM 2 D 2 = N 2 inversion attack to 
the reduced space with the modified parameters of DR and NR instead of D 
and N. The factor R 2 is canceled out from the expression TM 2 (DR) 2 = (NR) 2 , 
and thus the tradeoff relation remains unchanged. However, we gain in two other 
ways: 

1. The original range of allowed values of T was lower bounded by D 2 , which 
could be problematic for large values of D. This lower bound is now reduced 
to (DR) 2 , which can be as small as 1. This makes it possible to use a wider 
range of T parameters, and speed up actual attacks. 

2. The number of expensive disk operations is reduced from t to tR, since only 
the DR special points in the data have to be searched in the t/D matrices 
at a cost of one disk operation per matrix. This can greatly speed up attacks 
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with moderate values of t in which the t disk operations dominate the t 1 2 3 4 5 6 
function evaluations. 

Table 1 summarizes the behavior of the three types of tradeoff attacks under 
the two types of sampling techniques discussed in this paper. It explains why 
BSW sampling can greatly reduce the time T, even though it has no effect on 
the asymptotic tradeoff relation itself. Only this type of sampling enabled [3] to 
attack A5/1 and find its 64 bit key in a few minutes of computation on a single 
PC using only 4,000 disk operations, given the data contained in the first two 
seconds of an encrypted GSM conversation. 


Sampling 

type 

BG attack 
on stream ciphers 

Heilman’s attack 
on block ciphers 

Our attack 
on stream ciphers 

Rivest 

new tradeoffs: 

TP = MD = N 
for 1 <T<D 
increased P 

unmodified tradeoff: 
TM 2 = N 2 
for 1 < T < N 
fewer disk operations 

unmodified tradeoff: 
TM 2 D 2 = N 2 
for D 2 < T < N 
fewer disk operations 

BSW 

unmodified tradeoff: 
TM = N, 1 < T < D\ 

inapplicable to 
block ciphers 

unmodified tradeoff: 
TM 2 D 2 = N 2 , wider 
range, ( RD ) 2 <T < N 
even fewer disk operations 


Table 1. The effect of sampling on tradeoff attacks. 
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A The Sampling Resistance of Various Stream Cipher 
Constructions 

As we have seen in the main part of the paper low sampling resistance of a stream 
cipher allows for more flexible tradeoff attacks. In this appendix we briefly review 
several popular constructions and discuss their sampling resistance. 

A.l Non-linear Filter Generators 

In many proposed constructions a single linear feedback shift register (LFSR) is 
tapped in several locations, and a non-linear function / of these taps produces 
the output stream. Such stream ciphers are called non-linear filter generators , 
and the non-linear function is called a filter. The sampling resistance of such 
constructions depends on the location of the taps and on the properties of the 
function /. A crucial factor in determining the sampling resistance of such con- 
structions is how many bits of the function’s input must be fixed so that the 
function of the remaining bits is linear. 

Multiplexor is a boolean function, which takes s = log t + t bits of the output, 
and treats the first log t bits as an address of the bit in the next t bits. This bit 
becomes the output of the function. In order to linearize the output of the 
multiplexor one needs to fix only log t bits. Multiplexor is thus a weak function 
in terms of linearization. The actual sampling resistance of the multiplexor is 
influenced by the minimal distance between the address taps and the minimal 
distance from the address taps to the output tap. 

As a second example, consider the filter function 

f(x 1 , •••,*«)=■ g(x i, . . . , a s -i) © x s . 

If there is a gap of length l between tap x s and the other taps x\ , x s _i, then 

the sampling resistance is at most 2~ l , since by proper choice of the s— 1 bits we 
can linearize the output of the function /. Suppose that our aim is to efficiently 
enumerate all the 2 n ~ l states that produce a prefix of l zeroes. We can do this 
by setting the n — l non-gap bits to an arbitrary value, and then at each clock we 
choose the x s bit in a way that zeroes the function / (assuming that feedback 
taps are not present in the gap of l bits). 


Sum of Products A sum of products is the following boolean function: Pick 
a set of disjoint pairs of variables from the stream cipher’s state: 

• • • ( x i 3 _ i ,Xi s ). Define the filter function as: 

s — 1 

f(x 1, • • • , X 8 ) = (£) Xij ■ x ij+1 . 


A sum of products becomes a linear function if s/2 of its variables (one for each 
pair) are fixed. If these variables are all set equal to zero then / becomes the 
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constant function / = 0. We can thus expect this function to have a moderate 
resistance to sampling. The non-linear order of this function is only 2 and thus 
by controlling any pair Xi j+1 we can create any desired value of the filter 
function. For example if the target pair is (x,^ . Xj. 2 ) then the function / can be 
decomposed into: 


f(x i, . . . ,x s ) = x^Xi 2 ® g(xi 3 , . . . . Xj. a ) . 

At each step if the value of g is zero, the values of the target pair can be chosen 
arbitrarily out of (0, 0), (0, 1), (1, 0). If however g = 1 , then the value of the 
target pair must be (1,1). Thus if the control pair is in a tap-less region of size 
21 with a gap l between the controlling taps, the sampling resistance of this 
cipher is at most 2~ l . 

As another example, suppose that a consecutive pair of bits is used as a target 
pair. It seems problematic to use a consecutive pair for product linearization, 
since sometimes we have to set both bits to 1. This is however not the case if we 
relax our requirements, and use output prefixes with non-consecutive bits forced 
to have particular values. For example, prefixes in which every second bit is set 
to zero (and with arbitrary bits in between) can be easily generated in this sum 
of adjacent products. 

Suppose now that in each pair the first element is from the first half of the 
register and the second element comes from the second half. Suppose also that 
the feedback function taps the most significant bit and some taps from the lower 
half of the register. In this case the sampling resistance is only 2 _n / 2 . We set 
to arbitrary values the n/2 bits of the lower half of the register and guess the 
most significant tap bit. This way we know the input to the feedback function 
and linearize the output function. Forcing the output of the filter function at 
each step yields a linear equation (whose coefficients come from the lower half 
of the register and whose variables come from the upper half). After n/2 steps 
we have n/2 linear equations in n/2 variables which can be easily solved. This 
way we perform enumeration of all the states that produce the desired output. 

Moreover, if all pairs in the product are consecutive, then even a more inter- 
esting property holds. We can linearize the function just by fixing a subset of 
n/2 even (or odd) bits of the register, and thus linearization is preserved even 
after shifting the register (with possible interference of the feedback function). 


A. 2 Shrinking and Self-Shrinking Generators 

The shrinking generator is a simple construction suggested by [1] which is not 
based on the filter idea. This generator uses two regularly clocked LFSRs and the 
output of the first one decides whether the output of the second will appear in 
the output stream or will be discarded. This generator has good statistical prop- 
erties like long periods and high linear complexity. A year later a self-shrinking 
generator (which used one LFSR clocked twice) was proposed by [6]. The out- 
put of the LFSR is determined by a pair of most significant bits a n _i, a n of the 
LFSR state: If a„_ i = 1 the output is a n , and if o„_i = 0 there is no output 
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in this clock cycle. This construction has the following sampling algorithm: pick 
arbitrary value for n/2 decision bits, and for each pair with a decision bit equal 
to 1 set the corresponding output bit to 0. If the decision bit is 0 then we have 
freedom of choice and we enumerate both possibilities. The sampling resistance 
of this construction is thus 2 - "/ 4 . 
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Abstract. At Asiacrypt ’99, Sun, Yang and Laih proposed three RSA 
variants with short secret exponent that resisted all known attacks, in- 
cluding the recent Boneh-Durfee attack from Eurocrypt ’99 that im- 
proved Wiener’s attack on RSA with short secret exponent. The resis- 
tance comes from the use of unbalanced primes p and q. In this paper, we 
extend the Boneh-Durfee attack to break two out of the three proposed 
variants. While the Boneh-Durfee attack was based on Coppersmith’s 
lattice-based technique for finding small roots to bivariate modular poly- 
nomial equations, our attack is based on its generalization to trivariate 
modular polynomial equations. The attack is heuristic but works well 
in practice, as the Boneh-Durfee attack. In particular, we were able to 
break in a few minutes the numerical examples proposed by Sun, Yang 
and Laih. The results illustrate once again the fact that one should be 
very cautious when using short secret exponent with RSA. 


1 Introduction 

The RSA [13] cryptosystem is the most widely used public-key cryptosystem. 
However, RSA is computationally expensive, as it requires exponentiations mod- 
ulo N, where N is a large integer (at least 1024 bits due to recent progress in 
integer factorization [4]) product of two primes p and q. Consequently, speeding 
up RSA has been a stimulating area of research since the invention of RSA. 
Perhaps the simplest method to speed up RSA consists of shortening the expo- 
nents of the modular exponentiations. If e is the RSA public exponent and d 
is the RSA secret exponent, one can either choose a small e or a small d. The 
choice of a small d is especially interesting when the device performing secret 
operations (signature generation or decryption) has limited computed power, 
such as smartcards. Unfortunately, Wiener [20] showed over 10 years ago that if 
d < N 0 - 25 , then one could (easily) recover d (and hence, the secret primes p and 
q ) in polynomial time from e and N using the continued fractions algorithm. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 14-29, 2000. 
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Verheul and van Tilborg [19] slightly improved the bound in 1997, by showing 
that Wiener’s attack could be applied to larger d, provided an exhaustive search 
on about 2 \og. 2 (d/N 0 25 ) bits. At Eurocrypt ’99, Boneh and Durfee [3] presented 
the first substantial improvement over Wiener’s bound. Their attack can (heuris- 
tically) recover p and q in polynomial time if d < TV 0 ’ 292 . The attack is heuristic 
because it is based on the seminal lattice-based work by Coppersmith [5] on 
finding small roots to low-degree modular polynomial equations, in the bivari- 
ate case. 1 However, it should be emphasized that the attack works very well in 
practice. 

At Asiacrypt ’99, Sun, Yang and Laih [18] noticed that all those attacks on 
RSA with short secret exponent required some (natural) assumptions on the 
public modulus N. For instance, the Wiener’s bound TV 0 25 only holds if p + q = 
0(VN), and e is not too large. Similar restrictions apply to the extension to 
Wiener’s attack by Verheul- van Tilborg [19], and to the Boneh-Durfee attack [3]. 
This led Sun, Yang and Laih to propose in [18] simple variants of RSA using a 
short secret exponent that, a priori, foiled all such attacks due to the previous 
restrictions. More precisely, they proposed three RSA schemes, in which only the 
(usual) RSA key generation is modified. In the first scheme, one chooses p and q 
of greatly different size, and a small exponent d in such a way that the previous 
attacks cannot apply. In particular, d can even be smaller than TV 0 - 25 if p and q 
are unbalanced enough. The second scheme consists of a tricky construction that 
selects slightly unbalanced p and q in such a way that both e and d are small, 
roughly around y/~N. The third scheme is a mix of the first two schemes, which 
allows a trade-off between the sizes of e and d. Sakai, Morii and Kasahara [14] 
earlier proposed a different key generation scheme which achieves similar results 
to the third scheme, but that scheme can easily been shown insecure (see [18]). 

In this paper, we show that the first and third schemes of [18] are insecure, 
by extending the Boneh-Durfee attack. Our attack can also break the second 
scheme, but only if the parameters are carelessly chosen. Boneh and Durfee 
reduced the problem of recovering the factors p and q to finding small roots 
of a particular bivariate modular polynomial equation derived from the basic 
equation ed = 1 (mod <f>(N)). Next, they applied an optimized version (for that 
particular equation) of Coppersmith’s generic technique [5] for such problems. 
However, when p and q are unbalanced, the particular equation used by Boneh 
and Durfee is not enough, because it has no longer any “small” root. Our attack 
extends the Boneh-Durfee method by taking into account the equation N = pq. 
We work with a system of two modular equations with three unknowns; interest- 
ingly, when p and q are imbalanced, this approach leads to an attack on systems 
with d even larger than the V 0 ' 292 bound of Boneh and Durfee. The attack is 
extremely efficient in practice: for typical instances of two of the schemes of [18], 
this approach breaks the schemes within several minutes. Also, our “triviariate” 
version of Coppersmith’s technique we use may be of independent interest. 


1 The bivariate case is only heuristic for now, as opposed to the (simpler) univari- 
ate case, for which the method can be proved rigorously. For more information, 
see [5,2,12]. 
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The remainder of this paper is organized as follows. In Section 2, we briefly 
review former attacks on RSA with short secret exponents, recalling necessary 
background on lattice theory and Coppersmith’s method to find small roots of 
low-degree modular polynomial equations. This is useful to explain our attacks. 
In Section 3, we describe the RSA schemes with short secret exponent of [18]. In 
Section 4, we present the new attack using the trivariate approach. We discuss 
an implementation of the attack and its running time on typical instances of the 
RSA variants in Section 5. 

2 Former Attacks on RSA with Short Secret Exponent 

All known attacks on RSA with short secret exponent focus on the equation 
ed = 1 mod <j)(N) (where (p(N ) = N — (p + q) + 1) rewritten as: 

ed=i + fc(^ + I_ s ) (1) 

where k is an unknown integer and s = (p + q)/ 2. The primes p and q can be 
recovered from either d or s. Note that k and d are coprime. 

2.1 The Wiener Attack 

Wiener’s attack [20] is based on the continued fractions algorithm. Recall that 
if two (unknown) coprime integers A and B satisfy \x — ^ where x is a 

known rational, then ^ can be obtained in polynomial time as a convergent of 
the continued fraction expansion of x. Here, (1) implies that 
I 2e k\ _ \2 + k{l -2s) | 

| TV d\~ Nd 

Therefore, if k ^ 2s ~^~ 2 < A., d can be recovered in polynomial time from e and 
N, as k/d is a convergent of the continued fraction expansion of 2 e/N. That 
condition can roughly be simplified to ksd = O(N), and is therefore satisfied if 
k, s and d are all sufficiently small. In the usual RSA key generation, s = 0(y/N) 
and k = 0(d), which leads to the approximate condition d = O(N 0 - 25 ). But the 
condition gets worse if p and q are unbalanced, making s much larger than y/N. 
For instance, if p = O(N 0 25 ), the condition becomes d = O(N 0125 ). 

The extension of Wiener’s attack by Verheul and van Tilborg [19] applies to 
d > N 0 - 25 provided exhaustive search on O(log 2 (d/N 0 - 25 )) bits if p and q are 
balanced. Naturally, the attack requires much more exhaustive search if p and q 
are unbalanced. 

2.2 The Boneh-Durfee Attack 

The Small Inverse Problem. The Boneh-Durfee attack [3] looks at the equa- 
tion (1) modulo e: 


N+ 1 


1 (mode). 


(2) 
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Assume that the usual RSA key generation is used, so that |s| < y/e and \k\ < d 
(ignoring small constants). The problem of finding such a small root (s, k) of that 
bivariate modular equation was called the small inverse problem in [3], since one 
is looking for a number (TV + l)/2 — s close to (TV + l)/2 such that its inverse 
—k modulo e is rather small. Note that heuristically, the small inverse problem 
is expected to have a unique solution whenever \k\ < d, < TV 0 - 5 . This led Boneh 
and Durfee to conjecture that RSA with d < TV 0 5 is insecure. 

Coppersmith [5] devised a general lattice-based technique to find sufficiently 
small roots of low-degree modular polynomial equations, which we will review 
in the next subsections, as it is the core of our attacks. By optimizing that 
technique to the specific polynomial of (2), Boneh and Durfee showed that one 
could solve the small inverse problem (and hence, break RSA) when d < TV 0 292 . 
This bound corresponds to the usual case of balanced p and q. It gets worse as 
p and q are unbalanced (see [3,18]), because s becomes larger. 

Lattice Theory. Coppersmith’s technique, like many public-key cryptanalyses, 
is based on lattice basis reduction. We only review what is strictly necessary for 
this paper. Additional information on lattice theory can be found in numerous 
textbooks, such as [6,17]. For the important topic of lattice-based cryptanalysis, 
we refer to the recent survey [12]. 

We will call lattice any subgroup of some (Z”, +), which corresponds to the 
case of integer lattices in the literature. Consequently, for any integer vectors 
bi, . . . ,b r , the set L(bi, . . . ,b r ) = W»bj | rij € Z} of all integer linear 

combinations of the b, ’s is a lattice, called the lattice spanned by the b,’s. In 
fact, all lattices are of that form. When L = L(bi ..... b r ) and the b,’s are 
further linearly independent (over Z), then (bi,...,b r ) is called a basis of L. 
Any lattice L has infinitely many bases. However, any two bases share some 
things in common, notably the number of elements r and the Gram determinant 
deti<, ) j< r (bi, bj) (where (, ) denotes the Euclidean dot product). The parameter 
r is called the lattice dimension (or rank), while the square root of the Gram 
determinant is the lattice volume (or determinant ), denoted by vol(Z/). The name 
volume comes from the fact that the volume matches the r-dimensional volume of 
the parallelepiped spanned by the b,’s. In the important case of full-dimensional 
lattices (r equal to n), the volume is also the absolute value of the determinant of 
any basis (hence the name determinant). In general, it is hard to give a “simple” 
expression for the lattice volume, and one contents oneself with the Hadamard’s 
inequality to estimate the volume: 

voi(L) < n :N|. 

Fortunately, sometimes, the lattice is full-dimensional and we know a specific 
basis which is triangular, making the volume easy to compute. 

The volume is important because it enables one to estimate the size of 
short lattice vectors. A well-known result by Minkowski shows that in any r- 
dimensional lattice L, there exists a non-zero x e L such that ||x|| < yfr ■ 
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vol(L) 1 / r , where ||.|| denotes the Euclidean norm. That bound is in some (nat- 
ural) sense the best possible. The LLL algorithm [9] can be viewed, from a 
qualitative point of view, as a constructive version of Minkowski’s result. Given 
any basis of some lattice L, the LLL algorithm outputs in polynomial time a 
so-called LLL-reduced basis of L. The exact definition of an LLL-reduced basis 
is beyond the scope of this paper, we only mention the properties that are of 
interest here: 

Fact 1 . Any LLL-reduced basis (bi, . . . , b r ) of a lattice L in TL n satisfies: 

||bi|| < 2 r / 2 vol(L) 1/r and ||b 2 || < 2< Vwl ’)/ 2 vol(/.) ,/(r r >. 


Coppersmith’s Technique. For a discussion and a general exposition of Cop- 
persmith’s technique [5], see the recent surveys [2,12]. We describe the tech- 
nique in the bivariate case, following a simplified approach due to Howgrave- 
Graham [7]. 

Let e be a large integer of possibly unknown factorization. Assume that 
one would like to find all small roots of f(x,y ) = 0 (mode), where f(x,y ) 
is an integer bivariate polynomial with at least one monomial of maximal total 
degree which is monic. If one could obtain two algebraically independent integral 
bivariate polynomial equations satisfied by all sufficiently small modular roots 
(x,y), then one could compute (by resultant) a univariate integral polynomial 
equation satisfied by x, and hence find efficiently all small (x, y). Coppersmith’s 
method tries to obtain such equations from reasonably short vectors in a certain 
lattice. The lattice comes from the linearization of a set of equations of the form 
x u y v f(x,y) w = 0 (mod e w ) for appropriate integral values of u, v and w. Such 
equations are satisfied by any solution of f(x,y) = 0 (mode). Small solutions 
(xotVo) give r i se to unusually short solutions to the resulting linear system, 
hence short vectors in the lattice. To transform modular equations into integer 
equations, one uses the following elementary lemma, with the (natural) notation 
\\h(x, y) || = sjY.ij a lj for K X ,V) = Ei,j ; 

Lemma 2. Let h(x,y) e %[x,y] be a polynomial which is a sum of at most 
r monomials. Suppose that h(xo,yo) = 0 mod e m for some positive integer m 
where |a?o | < X and |j/o| < Y, and \\h(xX,yY)\\ < e m /^/r. Then h(xo,yo) = 0 
holds over the integers. 

Now the trick is to, given a parameter to, consider the polynomials 
h Ul , U2 ,v(x,y) = e m ~ v x Ul y U2 f(x,y) v . 

where u\, « 2 and v are integers. Notice that any root (xo,yo) of f(x,y) mod- 
ulo e is a root modulo e m of h UltU2tV (x,y), and therefore, of any integer linear 
combination h(x,y) of the h UltU2:V (x, y)’s. If such a combination h{x,y) further 
satisfies \\h(xX, yY)\\ < e m /\/r, where r is the number of monomials of h, then 
by Lemma 2, the integer equation h(x,y) = 0 is satisfied by all sufficiently 
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small modular roots of h modulo e. Thus, it suffices to find two algebraically 
independent such equations hi(x,y) and h-ilx, y). 

The use of integer linear combination suggests that we represent the poly- 
nomials as vectors in a lattice, so that finding polynomials with small norm 
reduces to finding short vectors in a lattice. More precisely, let S be a set of 
indices (u\,U2,v), and choose a representation of the polynomials h Ul >U2 . v (x, y) 
with (m,U 2 ,v) £ S as n-dimensional integer vectors for some n. Let L be the 
lattice in Z ra spanned by the vectors corresponding to h Ul /U2:V (xX. yY) with 
(iti, « 2 , v) £ S. Apply the LLL algorithm on the lattice, and let hi(xX. yY) and 
h, 2 (xX, yY) be the polynomials corresponding to the first two vectors of the re- 
duced basis obtained. Denoting by r the dimension of L, one deduces from the 
LLL theoretical bounds that: 

\\hi(xX, yY)\\ < 2 r / 2 vol (L) 1/r and \\h 2 (xX,yY)\\ < 2°' ,) / 2 vol( 

To apply Lemma 2, we want both of these upper bounds to be less than e m /^/n: 
since the factor 2 r is negligible with respect to e m , this amounts to saying 

vol(L) « e mr . (3) 

There are two problems. The first problem is that even if this condition is satis- 
fied, so that Lemma 2 applies, we are not guaranteed that the integer equations 
hi(x,y) = 0 and h, 2 (x,y) = 0 obtained are algebraically independent. In other 
words, /12 will provide no additional information beyond hi if the two linearly 
independent short basis vectors do not also yield algebraically independent equa- 
tions. It is still an open problem to state precisely when this can be guaranteed, 
although all experiments to date suggest this is an accurate heuristic assumption 
to make when inequality (3) holds. We note that a similar assumption is used 
in the work of Bleichenbacher [1] and Jutla [8] . 

The second problem is more down-to-earth: how can we make sure that vol(L) 
is small enough to satisfy inequality (3) ? Note that Hadamard’s bound is un- 
likely to be useful. Indeed, in general, some of the coefficients of f(x, y) are about 
the size of e, so that \\h UltU2tV (xX, yY)\\ is at least e m . To address this problem, 
one must choose in a clever way the set of indices S to have a close estimate on 
vol(L). The simplest solution is to choose S so that L is full-dimensional (r equal 
to n) and the h UltU2tV (xX,yYy s form a triangular matrix for some ordering on 
the polynomials and on the monomials (the vector coordinates). Since we want 
vol(L) to be small, each coefficient on the diagonal should be the smallest one 
of h UltU2tV (xX,yY) = e m ~ v (xX) Ul (yY) U2 f(xX,yY) v , which is likely to be the 
one corresponding to the monic monomial of maximal total degree of f(x,y). 

In the general case, f(x,y) may have several monomials of maximal total 
degree, and the only simple choice of S is to cover all the monomials of total 
degree less than some parametrized bound. More precisely, if A is the total 
degree of f(x,y), and x a y A ~ a is a monic monomial of f(x,y), one defines S as 
the set of (ui,U 2 , v) such that u\ + U 2 + Av < hA and iq, v, 2 , v > 0 with u\ < a 
or U 2 < A — a. Then the volume of the corresponding lattice can be computed 
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exactly, and it turns out that (3) is satisfied whenever XY < e L ! A ~ e for and m 
is sufficiently large. 

However, depending on the shape of f(x,y) (represent each monomial x'y 3 
by the point (i.j)), other choices of S might lead to improved bounds. Boneh and 
Durfee applied such tricks to the polynomial (2). In [3], they discussed several 
choices of S. Using certain sets S for which the lattice is full-dimensional and 
one knows a triangular lattice basis, they obtained a first bound d < N 0 - 284 
for their attack. Next, they showed that using a slightly different S for which 
the lattice is no longer full-dimensional, one ends up with the improved bound 
d < TV 0 292 . The latter choice of S is much harder to analyze. For more details, 
see [3]. 

3 The Sun-Yang-Laih RSA Key Generation Schemes 

3.1 Scheme (I) 

The first scheme corresponds to a simple unbalanced RSA [15] in which the 
parameters are chosen to foil previously known attacks: 

1. Select two random primes p < q such that both p and N = pq are suf- 
ficiently large to foil factorization algorithms such as ECM and NFS. The 
more unbalanced p and q are, the smaller d can be. 

2. Randomly select the secret exponent d such that log 2 d + log 2 P > | log 2 N 
and d > 2 7 y'p, where 7 is the security parameter (larger than 64). 

3. If the public exponent e defined by ed = 1 (mod <p{N)) is not larger than 
<j>(N)/ 2, one restarts the previous step. 

A choice of parameters suggested by the authors is: p is a 256-bit prime, q is a 
768-bit prime, d is a 192-bit number. Note that 192 is far below Wiener’s bound 
(256 bits) and Boneh-Durfee’s bound (299 bits). 

3.2 Scheme (II) 

The second scheme selects one of the primes in such a way that one can select e 
and d to be small at the same time: 

1 . Fix the bit-length of N. 

2. Select a random prime p of \ log 2 N — 112 bits, and a random k of 112 bits. 

3. Select a random d of \ log 2 N + 56 bits coprime with k(p — 1). 

4. Compute the two Bezout integers u and v such that du — k(p — l)v = 1, 
0 < u < k{p — 1) and 0 < v < d. 

5. Return to Step 3 if v + 1 is not coprime with d. 

6. Select a random h of 56 bits until q = v + hd + 1 is prime. 

The RSA parameters are p, q,e = u+hk(p— 1), d and N = pq. Notice that e and 
d satisfy the equation ed = 1 + k<j>{N). They both have approximate bit-length 
\ log 2 N + 56. The primes p and q have approximate bit-length \ log 2 N — 112 
and \ log 2 N + 112 respectively. 

A possible choice of parameters for Scheme (II) might be: p a 400-bit prime, 
q a 624-bit prime, and e and d are each 568 bits integers. 
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3.3 Scheme (III) 

The third scheme is a mix of the first two schemes, allowing a trade-off between e 
and d such that log 2 e+log 2 d ~ log 2 N+£ k where £ k is a predetermined constant. 
More precisely, the scheme is a parametrized version of scheme II: p, k, d and h 
have respective bit-length l p (less than \ log 2 N), £ k , £ d , and log 2 N — l v — £&. 
To resist various attacks, the following is required: 

1 . h » l P ~ Id ~ 1 . 

2. 4a(2/?+a-l) > 3(l-/3-a) 2 , where a = lo '° 2 %+e k % d and/3 = i og2 N + th - td ■ 

3. k must withstand an exhaustive search and £ k + £ p > | log 2 N. 

A choice of parameters suggested by the authors is: p is a 256-bit prime, q 
is a 768-bit prime, e is an 880-bit number, and d is a 256-bit number. 


4 The Attack Algorithm 


In this section we demonstrate how to launch an attack on Schemes (I) and (III). 
The approach used here closely follows that taken by Boneh and Durfee [3], but 
differs in several crucial ways to allow it to work when the factors p and q of the 
public modulus N are unbalanced. Interestingly, our attack gets better (works 
for larger and larger d) the more unbalanced the factors of the modulus become. 

Recall the RSA equation 


ed = 1 + k 




p + q \ 
2 


We note that the Boneh-Durfee approach treats this as an equation modulo e 
with two “small” unknowns, k and s = ( p+q ) /2. This approach no longer works if 
p and q are unbalanced, since a good bound on s can no longer be established. For 
this reason, the authors of the schemes from Section 3 hoped that these schemes 
would resist the lattice-based cryptanalysis outlined in Section 2.2. However, we 
will see that a more careful analysis of the RSA equation, namely one that does 
not treat p+q as a single unknown quantity but instead leaves p and q separately 
as unknowns, leads to a successful attack against two of these schemes. 

Writing A = N + 1, the RSA equation implies 


2 + k(A — p — q) = 0 (mod e). 


The critical improvement of our attack is to view this as a modular equation 
with three unknowns, k,p,q, with the special property that the product pq of 
two of them is the know74n quantity N. We may view this problem as follows: 
given a polynomial f(x, y, z) = x(A + y + z) — 2, find (xo, t/o, zq) satisfying: 

f(x 0 ,y 0 ,z 0 ) ■ 0 (mod e), 


where 


|x 0 | < X, | j/o | < Y, \z 0 \ < Z , and y 0 z 0 = N. 
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Note that the bounds X ss ed/N, Y ss p, and Z « q can be estimated to within 
a power of 2 based on the security parameters chosen for the scheme. 

Following Coppersmith’s method, our approach is to pick r equations of 
the form e m ~ v x Ul y U2 z U3 - f v (x,y,z) and to search for low-norm integer linear 
combinations of these polynomials. The basic idea is to start with a handful 
of equations of the form y a+j f m (x,y, z) for j = 0, ... ,t for some integers a 
and t with t > 0. Knowing N = pq allows us to replace all occurrences of the 
monomial yz with the constant N, reducing the number of variables in each of 
these equations to approximately to 2 instead of the expected §m 3 . We will refer 
to these as the primary polynomials. 

Since there are only t + 1 of these equations, this will result in a lattice 
that is less than full rank; we therefore include some additional equations to 
bring the lattice to full rank in order to compute its determinant. We refer 
to these as the helper polynomials. We have a great deal of choice in picking 
the helper polynomials; naturally, some choices are better than others, and it 
is generally a tedious but straightforward optimization problem to choose the 
primary and helper polynomials that are optimal. The equations we work with 
are the following. Fix an integer m, and let a and t > 0 be integers which we 
will optimize later. We define 

• 9 k,i,b{x,y,z) := e m ~ k x l y a z b f k (x,y,z), for k = 0..(m - 1), i = 1 ..(to - k), 

and 6 = 0,1; and, 

• hk,j(x,y,z) := e m ~ k y a+j f k (x,y, z), for k = 0..m and j = 0..f. 

The primary polynomials are h m j(x,y, z) for j = 0, . . . ,t, and the rest are the 
helper polynomials. Following Coppersmith’s technique, we form a lattice L by 
representing gu,i,b{xX , yY, zZ) and hk,j{xX, yY, zZ ) by their coefficients vectors, 
and use LLL to find low-norm integer linear combinations hi (xX, yY, zZ) and 
h 2 {xX, yY, zZ). The polynomials h\{x,y,z) and h 2 (x,y,z) have ( k,p,q ) as a 
root over the integers; to remove z as an unknown, we use the equality z = N/y, 
obtaining Hi{x,y) and H-iix, y) which have (k,p) as a solution. Taking the 
resultant Res x (Hi(x, y),H 2 (x, y)) yields a polynomial H{y) which has p as a 
root. Using standard root-finding techniques allows us to recover the factor p of 
N efficiently, completing the attack. 

The running time of this algorithm is dominated by the time to run LLL on 
the lattice L, which has dimension (m + l)(m + t + 1). So it would be ideal to 
keep the parameters m and t as low as possible, limiting to a reasonable number 
the polynomials used to construct L. Surprisingly, the attack is successful even 
if only a handful of polynomials are used. The example given by the original 
authors for schemes (I) succumbs easily to this attack with m = 3 and t = 1; 
with these parameters, our attack generates 20 polynomials. Scheme (III) can 
be cryptanalyzed with parameters m = 2 and t = 2, yielding 15 polynomials. 
This gives lattices of dimension 20 (see Figure 1) and 15, respectively, which 
can be reduced via the LLL algorithm within a matter of seconds on a desktop 
computer. We discuss our implementation and the results of our experiments 
more in Section 5. 
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4.1 Analysis of the Attack 

In order to be sure that LLL returns vectors that are “short enough” to use 
Lemma 2, we must derive sufficiently small bounds on the determinant of the 
lattice L formed from the polynomials gk,i,b(xX , yY, zZ) and hk.jixX, yY. zZ). 
Fortunately, this choice of polynomials makes the computation of the determi- 
nant of L fairly straightforward, if somewhat tedious. We provide the details in 
the appendix. 


Representing the Lattice as a Triangular Matrix. In order to compute the 
volume of the lattice L, we would like to list the polynomials gk,%,b{xX , yY , zZ) 
and hkj (xX, yY, zZ ) in a way that yields a triangular matrix. There is an or- 
dering on these polynomials that leads to such a representation: we first list the 
9k,i,b{xX, yY, zZ) indexed outermost by k = 0, . . . , m — 1, then i = 0, . . . , k, 
then innermost by b = 0, 1. We then list hk,j(xX, yY, zZ) indexed outermost by 
k = 0, . . . , m then j = 0 ,... ,t. (See Figure 1 for the case of m = 2, t = 1, 
a = 1.) Each new polynomial introduces exactly one new monomial x Ul y" 2 or 
x Ul z'“ 3 . Note that no monomial involving the product yz appears, since yz can 
be eliminated 2 using the identity N = yz. 

The determinant of this matrix is simply the product of the entries on the 
diagonal, which for m = 3, t = 1, a = 1 is 

vol(L) = det(M) = e 40 X 40 Y 34 Z 4 . (4) 

We expect the LLL algorithm to return vectors short enough to use Lemma 2 
when 


vol(L) = e 40 X 40 Y 34 Z 4 < e mr = e 60 . 

The example given by the original authors for Scheme (I) is to use p of 256 bits, 
q of 768 bits, d of 256 bits, and e of 1024 bits. This gives bounds 

X h ed/N » e 1 / 4 , Y rj e 1 / 4 , and Z ts e 3 / 4 ; 
we may then confirm 

det(M) = e 40 X 40 Y 34 Z 4 « e 59 < e 60 = e mr , 

so Lemma 2 applies. 3 Therefore, when we run the LLL algorithm on this lattice, 
we will get two short vectors corresponding to polynomials h\(x, y, z), h 2(x, y, z): 
by the bound on the determinant, we know that these polynomials will have 

2 Caution must be taken to ensure the polynomials remain monic in the terms x ul y U2 
and x ui z U3 of highest degree; if the substitution yz i— > N causes a coefficient of such 
a term to be different from 1, then we multiply the polynomial by A -1 mod e m (and 
reduce mod e m as appropriate) before continuing. 

3 The reader may have noticed that we have suppressed the error term associated with 

the execution of the LLL algorithm. Interestingly, even if the LLL “fudge factor” is 
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Fig. 1. Example of the lattice formed by the vectors gk,i,b(xX,yY,zZ ) and 
hk,j(xX,yY, zZ) when m = 2, t = 1, and a = 1. The matrix is lower trian- 
gular. Entries marked with indicate off-diagonal quantities whose values do 
not affect the determinant calculation. The polynomials used are listed on the 
left, and the monomials they introduce are listed across the top. The double line 
break occurs between the gk,i,b and the hk,j, while the single line breaks occur be- 
tween increments ofk. The last single line break separates the helper polynomials 
(top) from the two primary polynomials (bottom). 


norm that is low enough to use Lemma 2. Therefore these polynomials will have 
( k,p,q ) as a solution over the integers. To turn these into bivariate equations, 
we use the equality z = N/y to get Hffx, y) and Hffx. y) which have (k. p) as a 
solution over the integers. We then take the resultant Res x (Hi(x, y), H 2 (x, y)) 
to obtain a univariate polynomial H(y) that has p as a root. 

More generally, if we pick optimal values for t and a take m sufficiently large, 
our attack will be successful for even larger bounds on d. The highest possible 
bound on d for which our attack can work depends on the parameters chosen for 
the scheme. Suppose the parameter d « N s is used. The table below summarizes 

taken into account, this bound is still good enough. We require 

vol(L) < 2 r2/2 e 89 = 2 200 e 59 < e 59+ * < e mr /(Vr) r » e 60 "®. 

Slightly larger parameters m and t are required to rigorously obtain the bound for 
norm of the second basis vector, although in practice the LLL algorithm works well 
enough so that the parameters chosen here are sufficient. 
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the largest possible 8 for which our attack can succeed. We point out the choices 
of parameters that give rise to the schemes of Section 3. 


log jv(p) 


0.5 

0.4 

0.3 

0.25 

0.2 

0.1 


1.0 

0.284 

0.296 

0.334 

0.364i 

0.406 

0.539 


0.9 

0.323 

0.334 


0.437 

0.563 


l°gjv( e ) 
0.86 0.8 
0.339 0.363 

0.350 0.374 

0.384 0.406 

0.412m 0.433 
0.450 0.470 

0.573 0.588 


0.7 0.6 

0.406 0.451 

0.415 0.460 

0.446 0.487 

0.471 0.511 

0.505 0.542 

0.615 0.644 


0.55 

0.475 

0.483n 

0.510 

0.532 

0.562 

0.659 


Fig. 2. Largest 8 (where d < N s ) for which our attack can succeed, as a function 
of the system parameters. 


For example, with the example for Scheme (I), where e « N and p s» TV 0 - 25 , 
our attack will be successful not only for the 8 = 0.188 suggested, but all the 
way up to 8 < 0.364 (assuming a large enough m is used.) Similarly, our attack 
works in Scheme (III) up to d < A 0 - 412 . Notice that our attack comes close to, 
but cannot quite reach, the d < A 0 - 55 required to break Scheme (II). 

4.2 Comparison with the Bivariate Approach 

Alternatively, one can consider the system of two modular equations with three 
unknowns as a single bivariate equation by incorporating the equation A = 
pq into the main trivariate equation. This was independently noticed by Willi 
Meier [11], who also addressed the problem of breaking Schemes (I) and (III), 
using a bivariate approach rather than our trivariate approach. One then obtains 
an equation of the form f(x, y) = x 2 y + Axy + Bx + Cy modulo e, where the 
unknowns are k and the smallest prime among p and q. 

However, it turns out that the application of Coppersmith’s technique to this 
particular bivariate equation yields worse bounds than with the trivariate ap- 
proach previously described. For example, the bivariate approach allows one to 
break scheme (I) as long as d < A 0135 (and perhaps slightly higher, if sublattices 
are considered as in [3]), but fails for larger d. One can view the bivariate ap- 
proach a special case of our trivariate approach, in which one degree of freedom 
for optimization has been removed. One then sees that the bivariate approach 
constrains the choice of primary and helper polynomials in a suboptimal way, 
resulting in worse bounds on d. 

5 Implementation 

We implemented this attack using Victor Shoup’s Number Theory Library [16] 
and the Maple Analytical Computation System [10]. The attack runs very ef- 
ficiently, and in all instances of Schemes (I) and (III) we tested, it produced 
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algebraically independent polynomials Hi(x,y) and H 2 (x,y). These yielded a 
resultant H(y) = ( y—p)Ho(y ), where Ho(y) is irreducible, exposing the factor p 
of N in every instance. This strongly suggests that this “heuristic” assumption 
needed to complete the multivariate modular version of Coppersmith’s technique 
is extremely reliable, and we conjecture that it always holds for suitably bounded 
lattices of this form. The running times of our attacks are given below. 

Scheme size of n size of p size of e size of d m t a lattice rank running time 
l 1024 256 1024 192 3 1 1 20 40 seconds 

III 1024 256 880 256 2 2 0 15 9 seconds 

These tests were run on a 500MHz Pentium III running Solaris. 

6 Conclusions and Open Problems 

We showed that unbalanced RSA [15] actually improves the attacks on short 
secret exponent by allowing larger exponent. This enabled us to break most of 
the RSA schemes [18] with short secret exponent from Asiacrypt ’99. The attack 
extends the Boneh-Durfee attack [3] by using a “trivariate” version of Copper- 
smith’s lattice-based technique for finding small roots of low-degree modular 
polynomial equations. Unfortunately, despite experimental evidence, the attack 
is for now only heuristic, as the Boneh-Durfee attack. It is becoming increas- 
ingly important to find sufficient conditions for which Coppersmith’s technique 
on multivariate modular polynomials can be proved. 

Our results illustrate once again the fact that one should be very cautious 
when using RSA with short secret exponent. To date, the best method to enjoy 
the computational advantage of short secret exponent is the following counter- 
measure proposed by Wiener [20]. When N = pq, the idea is to use a private 
exponent d such that both d p = d mod (p— 1) and d q = d mod (q — 1) are small. 
Such a d speeds up RSA signature generation since RSA signatures are often 
generated modulo p and q separately and then combined using the Chinese Re- 
mainder Theorem. Classical attacks do not work since d is likely to be close to 
<j)(N). It is an open problem whether there is an efficient attack on such secret 
exponents. The best known attack runs in time min( y/dp, y/d^)- 
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A General Calculation of the Determinant 

The general formula for the determinant of the lattice we build in Section 4 is 
vol(L) = det(M) = e c °X c *Y c vZ c % 


where 


C e = C x = \m{m + l)(4m + 3f + 5), 

6 

! g(TO 3 + 3(a + t + l)m 2 + (3t 2 + 6 at + 3a 2 + 6a + 6f + 2 )to 

+(3f 2 + 6 at + 3 a 2 + 4o + 3t — a 3 )) if a > 0, 

g(m 3 + 3(a + t + l)m 2 + (3t 2 + Gat + 3a 2 + 6a + 6 f + 2 )to 

+(3t 2 T Gat T 3a 2 T 3a T 3 t)) if a < 0, 


C z 


|(m 3 — 3(o — l)m 2 + (3a 2 — 6a + 2 )m + (3a 2 — 2a — a 3 )) if a > 0, 
| (rn 3 — 3(o — 1 )to 2 + (3a 2 — 6a + 2 )m + (3a 2 — 3a)) if a < 0. 


We need det(M) < e mr = e rn ( m + 1 )( rn + t + 1 ) , i n order to optimize the choice of t 
and a, we write t = rm and a = am, and observe 


C e = C x = -(3 t + 4)m 3 + o(to 3 ) 


Cy = 

c z = 


|(3r 2 + 6 ar + 3a 2 + 3a + 3r + 1 — a 3 )m 3 + o(m 3 ) if a > 0, 

|(3r 2 + 6 ar + 3a 2 + 3a + 3r + l)m 3 + o(m 3 ) if a < 0, 

| (3a 2 — 3a + 1 - a 3 )m 3 + o(m 3 ) if a > 0, 
i (3a 2 - 3a + l)m 3 + o(m 3 ) if a < 0. 


Suppose we write e = AT, d = N s , and X = N@ , so Y = N 1 & . Then X = 
AT 5-1 . So the requirement on det(M) now becomes 

jyeC e +(ed— l)C x +(3C y +(l— (3)C Z ^ g?n(m+l)(m+t+l) _ ^ye(r+l)m 3 +o(m 3 ) 


The above expression holds (for large enough to) when 

eC,A- ( eS - l)C x + PC V + (1 - (3)C Z - (r + 1) < 0. 
The left-hand-side of this expression achieves its minimum at 


to = (2a 0 /3 — (3 — 6 + l)/(2/J), 

_(L-p-(l-p-S + /3 2 )(V2) if p < 

a ° \(/9- S)/m - 2) if /? > 5. 


(5) 


Using r = to and a = ao will give us the minimum value on the left-hand-side of 
inequality 5, affording us the largest possible X to give an attack on the largest 
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possible d < N s . The entries in Figure 2 were generated by plugging in tq and 
ao and solving for equality in Equation 5. 

It is interesting to note that formulation of the root-finding problem for RSA 
as a trivariate equation is strictly more powerful than its formulation as the 
small inverse problem. This is because the small inverse problem is not expected 
to have a unique solution once 6 > 0.5, while our attack works in many cases 
with S > 0.5. We note that when e = 1 and (3 = 0.5 - as in standard RSA - our 
attack gives identical results to simpler Boneh-Durfee attack ( d < TV 0 ' 284 ). Their 
optimization of using lattices of less than full rank to achieve the d < N 0 ' 292 
bound should also work with our approach, but we have not analyzed how much 
of an improvement it will provide. 
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Abstract. We present an attack on plain ElGamal and plain RSA en- 
cryption. The attack shows that without proper preprocessing of the 
plaintexts, both ElGamal and RSA encryption are fundamentally inse- 
cure. Namely, when one uses these systems to encrypt a (short) secret 
key of a symmetric cipher it is often possible to recover the secret key 
from the ciphertext. Our results demonstrate that preprocessing mes- 
sages prior to encryption is an essential part of both systems. 


1 Introduction 

In the literature we often see a description of RSA encryption as C = (M e ) mod 
N (the public key is (N, e )) and a description of ElGamal encryption as C = 
(. My r , g r ) mod p (the public key is {p,g,y }). Similar descriptions are also given 
in the original papers [17,9]. It has been known for many years that this simplified 
description of RSA does not satisfy basic security notions, such as semantic se- 
curity (see [6] for a survey of attacks). Similarly, a version of ElGamal commonly 
used in practice does not satisfy basic security notions (even under the Decision 
Difhe-Hellman assumption [5]) 1 . To obtain secure systems using RSA and ElGa- 
mal one must apply a preprocessing function to the plaintext prior to encryption, 

1 Implementations of ElGamal often use an element g € Z* of prime order q where q is 
much smaller than p. When the set of plaintexts is equal to the subgroup generated 
by g, the Decision Diffie Heilman assumption implies that ElGamal is semantically 
secure. Unfortunately, implementations of ElGamal often encrypt an m-bit message 
by viewing it as an m-bit integer and directly encrypting it. The resulting system is 
not semantically secure - the ciphertext leaks the Legendre symbol of the plaintext. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 30-43, 2000. 
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or a conversion to the encryption function (see [10,16,13] for instance). Recent 
standards for RSA [15] use Optimal Asymmetric Encryption Padding (OAEP) 
which is known to be secure against a chosen ciphertext attack in the random 
oracle model [4]. Currently, there is no equivalent preprocessing standard for El- 
Gamal encryption, although several proposals exist [1,10,16,13]. Unfortunately, 
many textbook descriptions of RSA and ElGamal do not view these preprocess- 
ing functions as an integral part of the encryption scheme. Instead, common 
descriptions are content with an explanation of the plain systems. 

In this paper we give a simple, yet powerful, attack against both plain RSA 
and plain ElGamal encryption. The attack illustrates that plain RSA and plain 
ElGamal are fundamentally insecure systems. Hence, any description of these 
cryptosystems cannot ignore the preprocessing steps used in full RSA and full 
ElGamal. Our attack clearly demonstrates the importance of preprocessing. It 
can be used to motivate the need for preprocessing in introductory texts. 

Our attack is based on the fact that public key encryption is typically used 
to encrypt session-keys. These session-keys are typically short, i.e. less than 128 
bits. The attack shows that when using plain RSA or plain ElGamal to encrypt 
an m-bit key, it is often possible to recover the key in time approximately 2 TO / 2 . 
In environments where session- keys are limited to 64-bit keys ( e.g . due to gov- 
ernment regulations), our attack shows that both plain RSA and plain ElGamal 
result in a completely insecure system. We experimented with the attack and 
showed that it works well in practice. 


1.1 Summary of Results 

Suppose the plaintext M is m bits long. For illustration purposes, when m = 64 
we obtain the following results: 

- For any RSA public key (N, e), given C = M e mod N it is possible to recover 
M in the time it takes to compute 2 • 2 m / 2 modular exponentiations. The 
attack succeeds with probability 18% (the probability is over the choice of 
M £ {0, 1, . . . , 2 m — 1}). The algorithm requires 2 m / 2 m bits of memory. 

- Let (p, g, y) be an ElGamal public key. When the order of g is at most p/2 m , 
it is possible to recover M from any ElGamal ciphertext of M in the time 
it takes to compute 2 • 2 m / 2 modular exponentiations. The attack succeeds 
with probability 18% (over the choice of M), and requires 2 m / 2 ra bits of 
memory. 

— Let (p, g, y) be an ElGamal public key. Suppose p — 1 = qs where s > 2 m 
and the discrete log problem for subgroups of Z* of order s is tractable, i.e. 
takes time T for some small T. When the order of g is p — 1 , it is possible 
to recover M from any ciphertext of M in time T and 2 • 2 m / 2 modular 
exponentiations. The attack succeeds with probability 18% (over the choice 
of M), and requires 2 m / 2 m bits of memory. 

— Let (p,g,y) be an ElGamal public key. Suppose again p I = qs where 
s > 2 m and the discrete log problem for subgroups of Z* of order s takes 
time T for some small T. When the order of g is either p— 1 or at most p/2 m , 
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it is possible to recover M from any ciphertext of M in time T plus one 
modular exponentiation and 2 • 2 m / 2 additions, provided a precomputation 
step depending only on the public key. The success probability is 18% (over 
the choice of M). The precomputations take time 2 m /' 2 T and 2 m - /2 modu- 
lar exponentiations. The space requirement can optionally be decreased to 
2" 1 / 4 log 2 s bits without increasing the computation time, however with a 
loss in the probability of success. 

All attacks can be parallelized, and offer a variety of trade-offs, with respect to 
the computation time, the space requirement, and the probability of success. For 
instance, the success probability of 18% can be raised to 35% if the computation 
time is quadrupled. Note that the first result applies to RSA with an arbitrary 
public exponent (small or large) . The attack becomes slightly more efficient when 
the public exponent e is small. The second result applies to the usual method 
in which ElGamal is used in practice. The third result applies when ElGamal 
encryption is done in the entire group, however p— 1 has a small smooth factor (a 
64-bit smooth factor) . The fourth result decreases the on-line work of both the 
second and the third results, provided an additional precomputation stage. It 
can optionally improve the time/memory trade-off. The third and fourth results 
assume that p— 1 contains a smooth factor: such a property was used in other 
attacks against discrete-log schemes (see [2,14] for instance). 

1.2 Splitting Probabilities for Integers 

Our attacks can be viewed as a meet-in-the-middle method based on the fact 
that a relatively small integer (e.g., a session-key) can often be expressed as 
a product of much smaller integers. Note that recent attacks on padding RSA 
signature schemes [7] use related ideas. Roughly speaking, these attacks expect 
certain relatively small numbers (such as hashed messages) to be smooth. Here, 
we will be concerned with the size of divisors. Existing analytic results for the 
bounds we need are relatively weak. Hence, we mainly give experimental results 
obtained using the Pari/ GP computer package [3] . 

Let M be a uniformly distributed m-bit integer. We are interested in the 
probability that M can be written as: 

— M = Mi M2 with Mi < 2 mi and M2 < 2 m2 . See table 1 for some values. 

— M = MiM 2 M 3 with Mi < 2 m ‘. See table 2 for some values. 

— M = M1M2M3M4 with Mi < 2 m b See table 3 for some values. 

The experimental results given in the tables have been obtained by factoring 
a large number of randomly chosen m-bit integers with uniform distribution. 
Some theoretical results can be obtained from the book [11]. More precisely, for 
1/2 < a < 1, let P a (m) be the probability that a uniformly distributed integer 
M in [1 . . . 2 m — 1] can be written as M = Mi M2 with both Mi and M2 less or 
equal to 2“ m . It can be shown that P 1 / 2 (m) tends (slowly) to zero as m grows to 
infinity. This follows (after a little work) from results in [11] [Chapter 2] on the 
number H(x, y, z) of integers n < x for which there exists a divisor d such that 
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y < d < z. More precisely, the following holds (where log denotes the neperian 
logarithm): 

Pi/2(mHQ ('lo | lo |i Wgm) | (1) 

where <5=1 — 1+1 1 °| 1 2 g2 ~ 0.086. On the other hand, when a. > 1/2, P a (m) 
no longer tends to zero, as one can easily obtain the following asymptotic lower 
bound, which corrects [8, Theorem 4, p 377]: 

lim inf P a (m) > log(2a), (2) 

This is because the probability must include all numbers that are divisible by 
a prime in the interval [2 m / 2 , 2 am ], and the bound follows from well-known 
smoothness probabilities. 

Our attacks offer a variety of trade-offs, due to the freedom in the factor- 
ization form, and in the choices of the m,’s: the splitting probability gives the 
success probability of the attack, the other parameters determine the cost in 
terms of storage and computation time. 


Table 1. Experimental probabilities of splitting into two factors. 


Bit-length m 

mi 

m 2 

Probability 

40 

20 

20 

18% 

21 

21 

32% 

22 

22 

39% 

20 

25 

50% 

64 

32 

32 

18% 

33 

33 

29% 

34 

pE 

35% 

30 

[36 

40% 


Table 2. Experimental probabilities of splitting into three factors. 


Bit-length m 

m± = m 2 = m 3 

Probability 

64 

22 

4% 


23 

6.5% 


24 

9% 


25 

12% 
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Table 3. Experimental probabilities of splitting into four factors. 


Bit-length m 

mi = m 2 = m3 = m 4 

Probability 

64 

16 

0.5% 

20 

3% 


1.3 Organization of the Paper 

In Section 2 we introduce the subgroup rounding problems which inspire all our 
attacks. In Section 3 we present rounding algorithms that break plain ElGamal 
encryption when g generates a “small” subgroup of Z*. Using similar ideas, we 
present in Section 4 an attack on plain ElGamal encryption when g generates 
all Z*, and an attack on plain RSA in Section 5. 

2 The Subgroup Rounding Problems 

Recall that the ElGamal public key system [9] encrypts messages in Z* for some 
prime p. Let g be an element of Z* of order q. The private key is a number in 
the range 1 < x < q. The public key is a tuple (p. g, y) where y = g x mod p. 
To encrypt a message M € Z p the original scheme works as follows: (1) pick a 
random r in the range 1 < x < q, and (2) compute u = M ■ y r mod p and v = 
g r mod p. The resulting ciphertext is the pair (u. v). To speed up the encryption 
process one often uses an element g of order much smaller than p. For example, 
p may be 1024 bits long while q is only 512 bits long. 

For the rest of this section we assume g £ Z* is an element of order q where 
q -C p. For concreteness one may think of p as 1024 bits long and q as 512 bits 
long. Let G q be the subgroup of Z* generated by g. Observe that G q is extremely 
sparse in Z*. Only one in 2 512 elements belongs to G q . We also assume M is a 
short message of length much smaller than \og. 2 (p/q). For example, M is a 64 
bits long session-key. 

To understand the intuition behind the attack it is beneficial to consider a 
slight modification of the ElGamal scheme. After the random r is chosen one 
encrypts a message M by computing u = M + y r mod p. That is, we “blind” 
the message by adding y r rather than multiplying by it. The ciphertext is then 
(u,v) where v is defined as before. Clearly y r is a random element of G q . We 
obtain the following picture: 


u 



The x marks represent elements in G q . Since M is a relatively small number, 
encryption of M amounts to picking a random element in G q and then slightly 
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moving away from it. Assuming the elements of G q are uniformly distributed in 
Z* the average gap between elements of G q is much larger than M. Hence, with 
high probability, there is a unique element z £ G q that is sufficiently close to 
u. More precisely, with high probability there will be a unique element z £ G q 
satisfying \u — z\ < 2 64 . If we could find 2 given u we could recover M. Hence, 
we obtain the additive version of the subgroup rounding problem: 

Additive subgroup rounding: let z be an element of G q and A an integer satisfying 
A < 2 TO . Given u = z+A mod p find z. When m is sufficiently small, z is uniquely 
determined (with high probability assuming G q is uniformly distributed in Z p ). 

Going back to the original multiplicative ElGamal scheme we obtain the 
multiplicative subgroup rounding problem. 

Multiplicative subgroup rounding: let z be an element of G q and A an integer 
satisfying A < 2 m . Given u = z-A mod p find 0 . When m is sufficiently small z, is 
uniquely determined (with high probability assuming G q is uniformly distributed 
in Z p ). 

An efficient solution to either problem would imply that the corresponding 
plain ElGamal encryption scheme is insecure. We are interested in solutions 
that run in time 0(\/A) or, even better, 0(log A). In the next section we show 
a solution to the multiplicative subgroup rounding problem. 

The reason we refer to these schemes as “plain ElGamal” is that messages 
are encrypted as is. Our attacks show the danger of using the system in this 
way. For proper security one must pre-process the message prior to encryption 
or modify the encryption mechanism. For example, one could use DHAES [1] or 
a result due to Fujisaki and Okamoto [10], or even more recently [16,13]. 

3 Algorithms for Multiplicative Subgroup Rounding 

We are given an element u £ Z p of the form u = z-A mod p where 2 is a random 
element of G q and |Z\| < 2 m . Our goal is to find A, which we can assume to be 
positive. As usual, we assume that to, the length of the message being encrypted, 
is much smaller than log 2 (p/q ). Then with high probability A is unique. For 
example, take p to be 1024 bits long, q to be 512 bits long and to to be 64. 
We first give a simple meet-in-the-middle strategy for multiplicative subgroup 
rounding. By reduction to a knapsack-like problem, we will then improve both 
the on-line computation time and the time/memory trade-off of the method, 
provided that p satisfies an additional, yet realistic, assumption. 


3.1 A Meet-in-the-Middle Method 

Suppose A can be written as A = A\ ■ A 2 where A\ < 2 mi and A 2 < 2 m2 . For 
instance, one can take mi = m 2 = to/ 2. We show how to find A from u in space 
0(2 mi ) and 2 mi + 2" 12 modular exponentiations. Observe that 


= z- A = 


■ A± ■ A 2 mod p. 
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Dividing by A 2 and raising both sides to the power of q yields: 

(■ u/A 2 ) q = z q ■ A\ = A\ mod p. 


We can now build a table of size 2 mi containing the values A\ mod p for all 
A\ = 0, . . . , 2 mi . Then for each A 2 = 0, . . . , 2 m2 we check whether u q /A\ mod p 
is present in the table. If so, then A = Ai ■ A 2 is a candidate value for A. 
Assuming A is unique, there will be only be one such candidate, although there 
will probably be several suitable pairs (Ai,A 2 ). 

The algorithm above requires a priori 2 m2 +2 mi modular exponentiations and 
2 mi log 2 p bits of memory. However, we do not need to store the complete value 
of Af mod p in the table: A sufficiently large hash value is enough, as we are only 
looking for “collisions” . For instance, one can take the 2 max(mi , m 2 ) least signif- 
icant bits of A'j mod p, so that the space requirement is only 2 mi+1 max(mi, m 2 ) 
bits instead of 2 mi log 2 p. Less bits are even possible, for we can check the valid- 
ity of the (few) candidates obtained. Note also that the table only depends on p 
and q: the same table can be used for all ciphertexts. For each ciphertext, one 
needs to compute at most 2 TO2 modular exponentiations. For each exponentia- 
tion, one has to check whether or not it belongs to the table, which can be done 
with O(mi) comparisons once the table is sorted. 

It is worth noting that Ai and A 2 need not be prime. The probability that a 
random rn-bit integer (such as A) can be expressed as a product of two integers, 
one being less than mi bits and the other one being less than m 2 bits, is discussed 
in Section 1.2. 

By choosing different values of mi and m 2 (not necessarily m/2), one obtains 
various trade-offs with respect to the computation time, the storage requirement, 
and the success probability. For instance, when the system is used to encrypt 
a 64-bit session key, if we pick mi = m 2 = 32, the algorithm succeeds with 
probability approximately 18% (with respect to the session key), and it requires 
on the order of eight billion exponentiations, far less than the time to compute 
discrete log in Z*. 

We implemented the attack using Victor Shoup’s NTL library [19]. The tim- 
ings should not be considered as optimal, they are meant to give a rough idea of 
the attack efficiency, compared to exhaustive search attacks on the symmetric al- 
gorithm. Running times are given for a single 500 MHz 64-bit DEC Alpha/Linux. 
If m = 40 and m± = m 2 = 20, and we use a 160-bit q and a 512-bit p, the pre- 
computation step takes 40 minutes, and each message is recovered in less than 1 
hour and 30 minutes. From Section 1.2, it also means that, given only the public 
key and the ciphertext, a 40-bit message can be recovered in less than 6 hours 
on a single workstation, with probability 39%. 

3.2 Reduction to Knapsack-like Problems 

We now show how to improve the on-line computation time (2 m / 2 modular ex- 
ponentiations) and the time/memory trade-off of the method. We transform the 
multiplicative rounding problem into a linear problem, provided that p satisfies 
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the additional assumption p — 1 = qrs where s > 2 m is such that discrete logs in 
subgroups of Z* of order s can be efficiently computed. For instance, if p® 1 ■ ■ - p e k k 
is the prime factorization of s, discrete logs in a cyclic group of order s can be 
computed with 0(X^= i e,(log s + ^/pi)) group operations and negligible space, 
using Pohlig-Hellman and Pollard’s p methods (see [12]). Let w be a generator 
of Z*. For all x £ Z*, x qr belongs to the subgroup G s of order s generated by 
w qr . 

The linear problem that we will consider is known as the fc-table problem: 
given k tables Tf , . . . , T k of integers and a target integer n, the fc-table problem 
is to return all expressions (possibly zero) of n of the form n = t\ + i 2 + • • • + t k 
where t, £ T). The general fc-table problem has been studied by Schroeppel and 
Shamir [18], because several NP-complete problems (e.g., the knapsack problem) 
can be reduced to it. We will apply (slightly modified) known solutions to the 
/c-table problems, for k = 2,3 and 4. 


The Modular 2- Table Problem Suppose that A can be written as A = 
A\ ■ A 2 , with 0 < Z\i < 2 mi and 0 < A 2 < 2 m2 , as in Section 3.1. We have 
u q = A\A\ mod p and therefore: 

u qr = A qr A^ r mod p, 

which can be rewritten as 

log(u 9r ) = log(Z\f ) + log(Z\ 2 r ) mod s, 

where the logarithms are with respect to u> qr . 

We build a table Ti consisting of log(/T( r ) for all A± = 0, . . . , 2 mi , and a table 
T 2 consisting of log (Af) for all A 2 = 0, . . . , 2 rn ' 2 . These tables are independent 
of A. The problem is now to express log('u' ?r ) as a modular sum ti + where 
ii e Ti and t 2 £ T 2 . The number of targets t\ + t 2 is 2 mi+m2 . Hence, we 
expect this problem to have very few solutions when s > 2 mi+m2 . The problem 
involves modular sums, but it can of course be viewed as a 2-table problem with 
two targets log(w gr ) and log(w </r ) + s. The classical method to solve the 2-table 
problem with a target n is the following: 

1. Sort Ti in increasing order; 

2. Sort T 2 in decreasing order; 

3. Repeat until either T\ or T 2 becomes empty (in which c 
already been found): 

(a) Compute f = first (Ti) + first (T 2 ). 

(b) If t = n, output the solution which has been found 
from T\, and first (T 2 ) from T 2 ; 

(c) If t < n delete first (Ti) from T\: 

(d) If t > n delete first (T 2 ) from T 2 ; 

It is easy to see that the method outputs all solutions of the 2-table problem, in 
time 2 min ( TOl ’ m2 ) +1 . The space requirement is 0{ 2 mi + 2 m2 ). 


e all solutions have 


, and delete first (Tf) 
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Since the original problem involves modular sums, it seems at first glance 
that we have to apply the previous algorithm twice (with two different targets). 
However, we note that a simple modification of the previous algorithm can in fact 
solve the modular 2-table problem (that is, the 2-table problem with modular 
additions instead of integer additions). The basic idea is the following. Since 
T 2 is sorted in descending order, n — T 2 is sorted in ascending order. The set 
(n — T 2 ) mod s though not necessarily sorted, is almost sorted. More precisely, 
two adjacent numbers are always in the right order, to the exception of a single 
pair. This is because n — T 2 is contained in an interval of length s. The single 
pair of adjacent numbers in reverse order corresponds to the two elements a and 
b of T 2 surrounding s — n. These two elements can easily be found by a simple 
dichotomy search for s — n in T 2 . And once the elements are known, we can 
access (n — T 2 ) (mod s) in ascending order by viewing T 2 as a circular list, 
starting our enumeration of T 2 by b, and stopping at a. 

The total cost of the method is the following. The precomputation of ta- 
bles T\ and T 2 requires 2 mi + 2 m2 modular exponentiations and discrete log 
computations in a subgroup of Z*of order s, and the sort of T\ and T 2 . The 
space requirement is (2 TOl + 2 m2 ) log 2 s bits. For each ciphertext, we require one 
modular exponentiation, one efficient discrete log (to compute the target), and 
2 mm(mi,TO 2 )+i additions. Hence, we improved the on-line work of the method of 
Section 3.1: loosely speaking, we replaced modular exponentiations by simple 
additions. We now show how to decrease the space requirement of the method. 

The Modular 3- Table Problem The previous approach can easily be ex- 
tended to an arbitrary number of factors of A Suppose for instance A can be 
written as A = A • A • A 3 where each A, is less than 2 TO * . We obtain 
3 

log(u« r ) = ^ log(Af r ) mod s , 

where the logarithms are with respect to uj qr . In a precomputation step, we 
compute in a table T) all the logarithms of Af mod p for 0 < A < 2 mi . We are 
left with a modular 3-table problem with target \og(u q r). The modular 3-table 
problem with target n modulo s can easily be solved in time 0 ( 2 TOl + min ( TO 2 .™ 3 ) j 
and space 0(2 mi + 2 m2 +2 m3 ). It suffices to apply the modular 2-table algorithm 
on tables T 2 and T 3 , for all targets (n — ti) mod s, with t\ e T\. 

Hence, we decreased the space requirement of the method of Section 3.2, by 
(slightly) increasing the on-line computation work and decreasing the success 
probability (see Section 1.2 for the probability of splitting into three factors). 
More precisely, if mi = m 2 = m 3 = m/3, the on-line work is one modular 
exponentiation, one discrete log in a group of order s, and 2 2 '"A additions. Since 
an addition is very cheap, this might be useful for practical purposes. 

The Modular 4- Table Problem Using 3 factors did not improve the time/ 
memory trade-off of the on-line computation work. Indeed, for both modular 2- 
table and modular 3-table problems, our algorithms satisfy TS = 0(2 m ), where 
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T is the number of additions, and S is the space requirement. Surprisingly, one 
can obtain a better time/memory tradeoff with 4 factors. 

Suppose A can be written as A = A\ • A 2 ■ A 3 ■ A 4 where each A, is less than 
2 mi . For instance, one can take mi = m 2 = m 3 = m 4 = m/4. We show how to 
find A from log(u® r ) in time 0( 2 mi + m2 _|_2 m3+TO4 ) and space 0(X^=i 2 mi ), pro- 
vided a precomputation stage of JT =1 2 m,i modular exponentiations and discrete 
log computations in a group of order s. 

We have log(u® r ) = log(A/ r ) mod s. Again, in a precomputation step, 
we compute in a table Tj all the logarithms of A| r mod p for 0 < A, < 2 mi . 
We are left with a modular 4-table problem, whose solutions will reveal possible 
choices of Ai, A 2 , A 3 and A 4 . Schroeppel and Shamir [18] proposed a clever 
solution to the basic 4-table problem, using the following idea. An obvious solu- 
tion to the 4-table problem is to solve a 2-table problem by merging two tables, 
that is, considering sums ti + t 2 and f 3 + t 4 separately. However, the algorithm 
for the 2-table algorithm described in Section 3.2 accesses the elements of the 
sorted supertables sequentially, and thus there is no need to store all the possible 
combinations simultaneously in memory. All we need is the ability to generate 
them quickly (on-line, upon request) in sorted order. To implement this idea, 
two priority queues are used : 

- Q' stores pairs (f 4 , t 2 ) from T\ xT 2 , enables arbitrary insertions and deletions 
to be done in logarithmic time, and makes the pairs with the smallest t\ + 1 2 
sum accessible in constant time. 

- Q" stores pairs (t 3 , t 4 ) from T 3 xT 4 , enables arbitrary insertions and deletions 
to be done in logarithmic time, and makes the pairs with the largest f 3 + 1 4 
sum accessible in constant time. 

This leads to the following algorithm for a target n: 

1. Precomputation: 

— Sort T 2 into increasing order, and T 4 into decreasing order; 

— Insert into Q' all the pairs (f 4 , first(T 2 )) for t\ £ Ty. 

— Insert into Q" all the pairs (t 3 , first (T 4 )) for t 3 6 T 3 . 

2. Repeat until either Q' or Q" becomes empty (in which case all solutions 
have been found): 

— Let (ti, t 2 ) be the pair with smallest t\ + t 2 in Q'-, 

— Let (t 3 , t 4 ) be the pair with largest t 3 + t 4 in Q": 

- Compute t = 1 1 + 1 2 + t 3 + 1 4 . 

— If t = n, we output the solution, and apply what is planned when t <n 
or t > n. 

- If t < n do 

• delete (ti,f 2 ) from Q’\ 

• if the successor t' 2 of t 2 in T 2 is defined, insert (fi,f 2 ) into Q': 

- If t > n do 

• delete (t 3 ,f 4 ) from Q": 

• if the successor f 4 of f 4 in T 4 is defined, insert (f 3 ,f 4 ) into Q": 
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At each stage, a t\ e Ti can participate in at most one pair in Q', and a t :i g T :i 
can participate in at most one pair in Q". It follows that the space complexity of 
the priority queues is bounded by 0(\T-[ + |T 3 |) = 0(2 mi + 2 ma ) . Each possible 
pair can be deleted from Q' at most once, and the same holds for Q" . Since 
at each iteration, one pair is deleted from Q' or Q", the number of iterations 
cannot exceed the number of possible pairs, which is 0 ( 2 mi+m2 + 2 m3+T " 4 ). 

Finally, as in the 2-table case, we note that this algorithm can be adapted to 
modular sums, by changing the starting points in T 2 and T4 to make sure that 
the modular sets are enumerated in the correct order. Hence, it is not necessary 
to apply the 4-table algorithm on 4 targets. If mi = m2 = m3 = rri4 = m/ 4, we 
obtain a time complexity of 0 ( 2 m / 2 ) and a space complexity of only 0 ( 2 m / 4 ), 
which improves the time/memory tradeoff of the methods of Sections 3.2 and 3.2. 
The probability that a random m-bit integer (such as A) can be expressed as a 
product of four integers A t , where A t has less than rn t bits, is given in Section 1.2. 
Different values of mi, m 2 , m 3 and TO4 (not necessarily m/4), give rise to different 
trade-offs with respect to the computation time, the storage requirement, and 
the success probability. 

Our experiments show that, as expected, the method requires much less 
computing power than a brute-force attack on the 64-bit key using the symmetric 
encryption algorithm. We implemented the attack on a PII/Linux-400 MHz. Here 
is a numerical example, using DSS-like parameters: 

q = 762503714763387752235260732711386742425586145191 

p = 124452971950208973279611466845692849852574447655208586550576344180427926821830 
38633894759924784265833354926964504544903320941144896341512703447024972887681 

The 160-bit number q divides the 512-bit number p — 1. The smooth part of 
p — 1 is 4783 • 1759 • 1627 • 139 • 113 • 41 • 11 • 7 • 5 • 2 7 , which is a 69-bit number. 
Our attack recovered the 64-bit secret message 14327865741237781950 in only 2 
hours and a half (we were lucky, as the maximal running time for 64 bits should 
be around 14 hours). 

4 An Attack on ElGamal Using a Generator of Z* 

So far, our attacks on ElGamal encryption apply when the public key (p, g, y) 
uses an element j€Z* whose order is much less than p. Although many imple- 
mentations of ElGamal use such g, it is worth studying whether a “meet-in-the- 
middle attack” is possible when g generates all of Z*. We show that the answer is 
positive, although we cannot directly use the algorithm for subgroup rounding. 

Let (p, g, y) be an ElGamal public key where g generates all of Z*. Suppose 
an m-bit message M is encrypted using plain ElGamal, i.e. the ciphertext is 
(u, v) where u = M ■ y r and v = g r . Suppose s is a factor of p — 1 so that in 
the subgroup of Z* or order s the discrete log problem is not too difficult (as 
in Section 3.2), i.e. takes time T for some small T. For example, s may be an 
integer with only small prime divisors (a smooth integer). 

We show that when s > 2 m it is often possible to recover the plaintext from 
the ciphertext in time 2 m / 2 m plus the time it takes to compute one discrete log 
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in the subgroup of Z* of order s. We refer to this subgroup as G s . Note that 
when M is a 64-bit session key the only constraint on p is that p - I have a 64 
bit smooth factor. 

Let u = M ■ y r and v = g r be an ElGamal ciphertext. As before, suppose 
M = M\ ■ M 2 where both Mi and M 2 are less than 2 m / 2 . Let q = (p— l)/s then: 
Miy r = u/M 2 mod p. Hence, 

M q (y r ) q = u q /M q mod p 

We cannot use the technique of Section 3.1 directly since we do not know the 
value of y rq . Fortunately, y rq is contained in G s . Hence, we can compute y rq 
directly using the public key y and v = g r . Indeed, suppose we had an integer 
a such that y q = (g q ) a . Then y rq = g rqa = v qa . Computing a amounts to 
computing a single discrete log in G s . Once a is found the problem is reduced 
to finding (Mi,M 2 ) satisfying: 

M q v qa = u q /M q mod p (3) 

The techniques of Section 3.1 can now be used to find all such (Mi, M 2 ) in the 
time it takes to compute 2 m / 2 exponentiations. Since the subgroup G s contains 
at least 2 m elements the number of solutions is bounded by m. The correct 
solution can then be easily found by other means, e.g. by trying all m candidate 
plaintexts until one of them succeeds as a “session-key” . 

Note that all the techniques of Section 3.2 can also be applied. The on- 
line work of 2 m / 2 modular exponentiations is then decreased to 2™/ 2 additions, 
provided the precomputation of many discrete log in G s . Indeed, by taking loga- 
rithms in (3), one is left with a modular 2-table problem. Splitting the unknown 
message M in a different number of factors leads to other modular fc-table prob- 
lems. One can thus obtain various trade-offs with respect to the computation 
time, the memory space, and the probability of success, as described in Sec- 
tion 3.2. 

To summarize, when g generates all of Z* the meet-in-the-middle attack can 
often be used to decrypt ElGamal ciphertexts in time 2 m//2 as long as p - 1 
contains an m-bit smooth factor. 

5 A Meet-in-the-Middle Attack on Plain RSA 

To conclude we remark that the same technique used for the subgroup rounding 
problem can be used to attack plain RSA. This was also mentioned in [8]. In 
its simplest form, the RSA system [17] encrypts messages in Z jy where N = pq 
for some large primes p and q. The public key is (N, e ) and the private key is 
d, where e ■ d = 1 mod <f>(N) with <p(N) = (p — 1)(<? — 1). A message M e Zjv 
is then encrypted into c = M e mod N. To speed up the encryption process one 
often uses a public exponent e much smaller than N, such as e = 2 16 + 1. 

Suppose the m-bit message M can be written as M = MiM 2 with Mi < 2 mi 
and M 2 < 2™ 2 . Then: 


= Mf mod N. 
Mf 
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We can now build a table of size 2 mi containing the values M-f mod N for all 
Mi = 0, . . . , 2 mi . Then for each M 2 = 0, . . . , 2 m2 , we check whether c/M| mod 
N is present in the table. Any collision will reveal the message M. As in Sec- 
tion 3.1, we note that storing the complete value of M-f mod N is not necessary: 
for instance, storing the 2 max(mi,TO 2 ) least significant bits should be enough. 
The attack thus requires 2 mi+1 max(mi, m 2 ) bits of memory and takes 2 m2 mod- 
ular exponentiations (we can assume that the table sort is negligible, compared 
to exponentiations). 

Using a non-optimized implementation (based on the NTL [19] library), we 
obtained the following results. The timings give a rough idea of the attack effi- 
ciency, compared to exhaustive search attacks on the symmetric algorithm. Run- 
ning times are given for a single 500 MHz 64-bit DEC Alpha/Linux. If m = 40 
and mi = m 2 = 20, and we use a public exponent 2 16 + 1 with a 512-bit modulus, 
the precomputation step takes 3 minutes, and each message is recovered in less 
than 10 minutes. From Section 1.2, it also means that, given only the public key 
and the ciphertext, a 40-bit message can be recovered in less than 40 minutes 
on a single workstation, with probability at least 39%. 

6 Summary and Open Problems 

We showed that plain RSA and plain ElGamal encryption are fundamentally 
insecure. In particular, when they are used to encrypt an m-bit session-key, the 
key can often be recovered in time approximately 2 m / 2 . Hence, although an 
m-bit key is used, the effective security provided by the system is only m/2 
bits. Theses results demonstrate the importance of adding a preprocessing step 
such as OAEP to RSA and a process such as DHAES to ElGamal. The attack 
presented in the paper can be used to motivate the need for preprocessing in 
introductory descriptions of these systems. 

There are a number of open problems regarding this attack: 

Problem 1: Is there a 0( 2 m / 2 ) time algorithm for the multiplicative subgroup 
rounding problem that works for all A7 

Problem 2: Is there a 0( 2 m / 2 ) time algorithm for the additive subgroup round- 
ing problem? 

Problem 3: Can either the multiplicative or additive problems be solved in 
time less than l?(2 m / 2 )? Is there a sub-exponential algorithm (in 2 m )? 
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Abstract. In 1985 Fell and Diffie proposed constructing trapdoor func- 
tions with multivariate equations [11]. They used several sequentially 
solved stages that combine into a triangular system we call T. In the 
present paper, we study a more general family of TPM (for “Triangle 
Plus Minus”) schemes: a triangular construction mixed with some u ran- 
dom polynomials and with some r of the beginning equations removed. 
We go beyond all previous attacks proposed on such cryptosystems using 
a low degree component of the inverse function. The cryptanalysis of 
TPM is reduced to a simple linear algebra problem called MinRank(r): 
Find a linear combination of given matrices that has a small rank r. 

We introduce a new attack for MinRank called ‘Kernel Attack’ that 
works for q r small. We explain that TPM schemes can be used in en- 
cryption only if q r is small and therefore they are not secure. 

As an application, we showed that the TTM cryptosystem proposed by 
T.T. Moh at CrypTec’99 [15,16] reduces to MinRank(2). Thus, though 
the cleartext size is 512 bits, we break it in 0( 2 62 ). The particular TTM 
of [15,16] can be broken in 0( 2 28 ) due additional weaknesses, and we 
needed only few minutes to solve the challenge TTM 2.1. from the website 
of the TTM selling company, US Data Security. 

We also studied TPM in signature, possible only if q u small. It is equally 
insecure: the ‘Degeneracy Attack’ we introduce runs in q u - polynomial. 


1 Introduction 

The current research effort in practical public key cryptography introduced by 
Rivest, Shamir and Adleman, with univariate polynomials over 2Z .y , is following 
two paths. The first is considering more complex groups, e.g. elliptic curves. The 
second is considering multivariate equations. Though many proposed schemes 
are being broken, some remain unbroken even for the simplest groups like TLz- 
One of the paradigms for constructing multivariate trapdoor cryptosystems 
is the triangular construction, proposed initially in an iterated form by Fell and 
Diffie (1985). It uses equations that involve 1,2,..., n variables and are solved 
sequentially. The special form of the equations is hidden by two linear transfor- 
mations on inputs (variables) and outputs (equations). We call T this triangular 
construction. Let TPM (T Plus-Minus) be T with added final u random (full- 
size) quadratic polynomials, and with r of the beginning equations removed. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 44-57, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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The cryptosystem TTM, proposed by T.T. Moh at CrypTec’99 is in spite 
of an apparent complexity, shown in 2.4 to be a subcase of TPM. The initially 
proposed scheme is very weak due to linear dependencies and in section 4.2, 
we present the solution (plaintext) to the TTM 2.1 challenge proposed by the 
company US Data Security, which is currently selling implementations of TTM. 
After this, we focus on breaking more general TPM schemes. 

The general strategy to recover the secret key of TPM/TTM systems is pre- 
sented in 3. It requires finding a linear combination of public equations that de- 
pends only of a subspace of variables. This gives a simple linear algebra problem 
called MinRank: Let us consider some n x n matrices over GF(g): Mi, . . . , M t . 
We need to find a linear combination M of the Mi that has a small rank r < n. 
The name of MinRank has apparently been used first in the paper [19] that shows 
that MinRank is NP-complete. However the MinRank instances in TPM/TTM 
use very small r, e.g. the T.T. Moh’s proposal from [16] gives r = 2. We note 
that the powerful idea of using a small rank goes back to the cryptanalysis of 
Shamir birational scheme [20] by Coppersmith, Stern and Vaudenay [6,7], and 
appears also in the Shamir-Kipnis attack on HFE [14] proposed by Patarin [17]. 

In 2.2 we explain how to use the TPM schemes in encryption which is possible 
only if q r is small. However, in the section 5 we present an attack that works 
precisely when q r is small, based on the small co-dimension of the kernel of 
the unknown matrix M. This ‘Kernel attack’ breaks in approximately 2 52 a 
cryptosystem with 512 bit cleartexts. 

Similarly in 2.2 we explain how to use the TPM schemes in signature; pos- 
sible only with q u not too big. Then in section 6 we introduce the ‘Degeneracy 
attack’ on TPM based on iterative searching of degenerate polynomials. It works 
precisely when q u is small and the signature proposals of [15,16] are insecure. 

2 The TPM Family of Cryptosystems 

2.1 General Description of TPM 

In the present section, we describe the general family TPM(n,u, r, K), with: 

— n, u, r integers such that r <n. We also systematically put m = n + u — r. 

- K = GF(<jr) a finite field. 

We first consider a function : K n i— > K n+U ~ r such that (yi , y n + u -r) = 

. . . , x n ) is defined by the following system of equations: 


2/i = xi + 

9i ( 

Xn-r+li - ■ 

..,X n ] 

2/2 = X2+ 

2 / 2 ( 24 ; 

Xn-r+l,- ■ 

.. ,X n ] 

2/3 = X 3 + 

93(xi,x 2 ; 

Xn-r+1, ■ ■ 

■ • 5 X U ) 

Vn-r = X„—r 

+ 9n-r(x l,...,X n -r-l 

; x n - r+ i, . . 

■ • , X U ) 

Vn-r+1 = 

9n—r+l(xi, ■ ■ ■ , X n ) 



2 Jn—r+u = 

g n _ r+u (x 1 , . . . ,X n ) 
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with each g* (1 < i < n + u — r) being a randomly chosen quadratic polynomial. 

The Public Key 

The user selects a random invertible affine transformation s : K n i— > K n , and a 
random invertible affine transformation t : K n+U ~ r i— > K n+U ~ r . Let F = toFos. 
By construction, if we denote (y[, . . . ,y' n+u _ r ) = F(x , 1 , . . . ,x' n ), we obtain an 
explicit set {Pi, . . . , P n+t( - r } of (n + u — r) quadratic polynomials in n variables, 
such that: 

{ Vi = 

y'n+u-r = -Pn+u-rW, • • • , <) 

This set of (n + u — r) quadratic polynomials constitute the public key of 
this TPM(n, u, r, K) cryptosystem. Its size is g(n + u — r)(n + 1)(§ + 1) log 2 (<z) 
bytes. 

r variables 


m equations 


I 

I 


I M 

I 



r “removed” 
equations 


“triangular” 

equations 


Fig. 1. General view of the TPM scheme - The two classes of attacks 

2.2 Encryption Protocol (when u > r) 

Encrypting a message 

Given a plaintext (x \, . . . , x' n ) e K n , the sender computes y\ = I\(x \ , . . . , x' n ) 
iorl<i<n + u — r - thanks to the public key - and sends the ciphertext 
{Vi,-- ^y'n+u-r) e K n+U ~ r . 
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Decrypting a message 

Given a ciphertext (y [, . . . , y' n+u _ r ) £ x n+u ~ r , the legitimate receiver recovers 
the plaintext by the following method. 

- Compute (yi, ... , y n +u-r) = ■ ■ ■ , Vn+u-r) 5 

- Make an exhaustive search on the r-tuple (:E n -r+i , • • • , x n ) £ K r , until the 
n-tuple (aq, . . . ,x n ) obtained by Xi = tq — </,(aq, . . . , aq_i; x„_ r+ i, . . . ,x n ) 
(for 1 <i<n — r) satisfies the u following equations gi(xi , . . . , x n ) = y, (for 
n — r + l<i<n — r + it). 

- For the obtained (aq, . . . ,x n ) n-tuple, get (a / 1; . . . ,x' n ) = s~ 1 (x i, . . . ,x n ). 

This decryption algorithm thus has a complexity essentially 0(q r ). As a result, 
a TPM(n, u, r, K) cryptosystem can be practically used in encryption mode only 
under the assumption that q r is “small enough” . 

The condition u > r insures that the probability of obtaining a collision 
is negligible, and thus that the ciphering function F can be considered as an 
injection from K n into K n+U ~ r . 

When r = u = 0, this kind of scheme has been considered and attacked 
by Fell and Diffie in [11] (in an iterated form) and by Patarin and Goubin in 
[18]. All these attacks explore the fact that the inverse function if of low degree 
in some variables, whereas the present paper cryptanalyses much more general 
cases with r ± 0 and u ^ 0. 


2.3 Signature Protocol (when u < r) 

Signing a message 

Given a message M, we suppose that (y [, . . . , y' n+u _ r ) = h(M) e K n+U ~ r , with 
h being a (collision-free) hash function. To sign the message M, the legitimate 


- computes (t/l, . . . , y n +u-r) 1 (y[, ■ ■ ■ , y'n+u-r) ; 

- chooses random r-tuples (x„_ r+ i, . . . , x n ) , until the n-tuple (aq , x n ) ob- 

tained by Xi = yi~ gi(x±, . . . , aq_i;a; n _ r +i, • • • , x n ) (for 1 < i < n — r) satis- 
fies the u following equations g t (xi , . . . , x n ) = iji (for n— r+1 < i < n—r+u). 

- for the obtained (aq, x n ) n-tuple, gets (x) x' n ) = s _1 (aq, . . . , x n ). 

This signature algorithm thus has a complexity essentially 0(q u ). As a result, 
a TPM(n, u, r, K) cryptosystem can be practically used in signature mode only 
under the assumption that q u is “small enough” . 

The condition u < r insures that the probability of finding no solution for 
x n ) for the equation >F( 2 q, . . . , x n ) = (tq, . . . , y n + u - r ) is negligible, and 
thus that the ciphering function F can be viewed as an surjection from K n onto 

K n+u-r _ 

We will describe in section 6 a general attack on this signature scheme, that is 
also applicable when u is non-zero, with q u not too large. Therefore the signature 
proposed by T.T. Moh in [15,16] is insecure. 
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2.4 The TTM Encryption System 

In the present section, we recall the original description of the TTM cryptosys- 
tem, given by T.T. Moh in [15,16]. This definition of TTM is based on the 
concept of tame automorphisms. As we will see, TTM is a particular case of our 
general family TPM: it belongs to the family TPM(64, 38, 2,GF(256)). 


General Principle 

Let K be a finite field (which will be supposed “small” in real applications). We 

first consider two bijections $2 and <£3 from K n+V to K n+V , with (zj , z n+v ) = 

<£2(2:1, . . • , x n+v ) and (2/1 , . . . , y n +v) = <£3(21, • • • , z n+v ) defined by the two fol- 
lowing systems of equations : 


' Zi=Xi 
Z2 = X 2 + f 2 (xi) 

Z3 = X 3 + f 3 (x 1 ,X 2 ) 

* Z n = X n + f n (x 1, . . . ,x„_i) 
z „+ 1 = X n+ \ + f n+ i(xi, ...,x n ) 


Zn+v — X n + V fn+v(xi, • • • , X n +v- 


' yi = zi + P(z n+ 1, . . . , 
y 2 = Z 2 + Q{z n + 1, . . . , 

£3 : < 2/3 = z 3 


Zn+v ) 
Zn+v) 


with /2, . . . , fn+v quadratic forms over K, and P, Q two polynomials of degree 
eight over K . 

<£2 and <£3 are both “tame automorphisms” (see [15,16] for a definition) and 
thus are one-to-one transformations. As a result, (aq, . . . , x n + v ) 1— > (yi, ■ ■ ■ , y n +v) 
= <P :i o <I >2 (x -[ , . . . , x n+v ) is also one-to-one and can be described by the following 
system of equations : 


2/1 = a%*%:P(x n+ l + f n +l(Xl, • - .,*„), . • • ,X n+ -i, d- f n +v(x 1, ■ . .,«„+„_!)) 

2/2 = X2 + f 2 (xi) +Q(x n+ 1 +/„+ l(x 1 ,..,X n ),..,X n+v + f n +v(x 1 ,..,X n+v - 1 )) 

2/3 = 2:3 + h(xi,X2) 

y n = X n + f n (x 1, . . .,X n -i) 
y n + 1 = 2:rj+i + /n+i(a: 1 , ...,x n ) 

yn+v = X n + V + f n +v{ Xl, ■ ■ ■ , 2 ; n + 1 ,_i) 


T.T. Moh found a clever way of choosing P, Q and /) such that y-\ and y -2 both 
become quadratic functions of x \, . . . , x n when we set x n +i = . . . = x n+v = 0. 


Actual Parameters 

This paragraph is given in the appendix. T.T. Moh chooses n = 64, u = 36 and 
K = GF(256). As a result, TTM belongs to TPM(64, 38, 2,GF(256)). Applying 
the formula of section 2.1, the size of the public keys is 214.5 Ko. 
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3 General Strategy of TPM Attacks 

In the present section, we describe a general strategy to attack a cryptosystem 
of the TPM Family when r is “small”. It will amount to solving the MinRank 
problem. As a result TTM, that is a TPM(64, 38, 2,GF(256)) will be broken. 

3.1 The MinRank Problem 

Let r be an integer and K a field. We denote by MinRank(r) the following 
problem: given a set {Mi, . . . , M m } ofnxn matrices whose coefficients lie in K, 
find at least one m-tuple (Ai, . . . , \ m ) € K m such that Rank ^ J2 \M^j < r. 

The (even more) general MinRank problem has been first defined and studied 
by Shallit, Frandsen and Buss in [19]. It generalizes the “Rank Distance Coding” 
problem by Gabidulin [12], studied also in [3,22]), which itself generalizes the 
“Minimal Weight” problem of error correcting codes (see [1,21,2,13]). In the 
Shamir-Kipnis attack on the Patarin’s HFE cryptosystem [14,17], the authors 
used an instance of MinRank(r) with r = |dog 9 n] + 1 and therefore their attack 
is not polynomial. In the present paper r is a small constant, e.g. 2. We note 
that the idea of finding small ranks has first been used by Coppersmith, Stern 
and Vaudenay in [6,7] for breaking Shamir’s birational scheme [20]. 

Recently Courtois proposed a new zero-knowledge scheme based on Min- 
Rank [10,9]. Though in the present paper only two algorithms for MinRank are 
introduced, another two can be found in [9] . 


3.2 Complexity of MinRank 

The general MinRank problem has been proven to be NP-complete by Shallit, 
Frandsen and Buss (see [19]). More precisely, they prove that MinRank(r) NP- 
complete when r = n — 1 (this corresponds to the problem of finding a linear 
combination of Mi, . . . , M m that is singular). The principle of their proof consists 
in writing any set of multivariate equations as an instance of MinRank. It can 
be used in the same way to extend their result to the cases r = n — 2, r = n — 3, 
. . . and even r = n a (when a > 0 is fixed) . However, MinRank is not hard 
when r gets smaller, indeed, in 5 we will introduce an expected polynomial time 
algorithm to solve the MinRank for any fixed r. 


3.3 Strategy of Attack 

We recall that m = n+u—r. We suppose m < 2 n, as an encryption function with 
expansion rate > 2 is unacceptable. Moreover, if m> 0(n), the cryptosystem is 
expected to be broken by Grobner bases [8] . 

In each equation y* = aq + gi(x±, . . . , ar*_i ; x n - r +i , . . . , x n ) (1 < i < n — r), 
the homogeneous part is given by t XA,X, with t X = (aq, . . . ,x n ), Ai being a 
(secret) matrix. Similarly, in each public equation y\ = P t (x [ 1 . . . ,x' n ) is given 
by t X'MiX\ with t X' = (x \, . . . , x' n ), Mi being a (public) matrix. 



50 


Louis Goubin and Nicolas T. Courtois 


The fact that (aq, . . . , x n ) = s(a; / 1 , . . . , x' n ) and (y[, . . . , y' m ) = t(yi, . . . , y m ) 
implies that there exist an invertible n x n matrix S and an invertible m x m 
matrix T such that: 


( t (5X , )^i(S , X / ) 

\SX')A m {SX') 


( 'X'MiX' ' 
'X'MmX' 


Let T 1 = We thus have, for any X': 


^X'fSA^X' = t W / 


(f 


so that: 


Vi, 1 < i < m, = t SA i S. 


From the construction of TPM(n, u, r, K), we have Rank(Ai) < r. Since 
S is an invertible matrix, we have Rank(T-i) = Rank( t S'^4i5) and thus Rank 

( S Lij Afj ) < r, that is precisely an instance of MinRank(r). 

S'= i ' 

Suppose we are able to find (at least) one m-tuple (Ai, . . . , A m ) such that 

Rank( ^ A jMA < r. With a good probability, we can suppose that: 

S'= i 7 


= n'SAiS (n e K*). 


Then we deduce the vector spaces Vo = S l (K n r x (0} r ) (corresponding to 
x n - r+ i = . . . = x n = 0) and Wo = 5 _1 ({0}" _r x K r ) (corresponding to xi = 
. . . = x n - r = 0) by simply noticing that Vo = AjMjA and Wo = 

Ker(^”l r A 3 M J w). 

Once we have found Vo and Wo, we can easily deduce the vector space V\ = 
S ,_1 ({0} x K n ~ r ~ 1 x (0} r ) of dimension 1 (corresponding to x\ = x n - r+ i = 
... = x n =0) and Wl = S ,_1 (iV x {()} n_r ' 1 x K r ) (corresponding to X 2 = 
. . . = x n - r = 0): we just look for coefficients a .\, . . . , a n , 0i, . . . , (3 m such that 
the following equation: 

J2f 3 iy'j = J2 aiXi+s ’ 


holds for any element of Vo. This can be obtained by simple Gaussian reduction. 
We also obtain the g 2 quadratic function by Gaussian reduction. 
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By repeating these steps, we obtain two sequences of vector spaces: 
V 0 DV 1 DV 2 D...D K-r-l 

ii'„ c w, cir 2 c...c ir„ r _i. 

At the end, we have completely determined the secret transformations s and 
t, together with the secret functions g.,. As a result, this algorithm completely 
breaks the TPM family of cryptosystems (we recovered the secret key) . 

4 Special Case Attacks on TPM 

4.1 The ‘Linearity Attack’ on TTM 

In this paragraph, we study the particular case of TTM, as described by T.T. 
Moh in [15,16]. In this case, we show that the MinRank(r) problem is easily 
solved, because of the particular structure of the Q% function used in f J> 3 . 

Description of the Attack 

In section 3.3, we proved that an attack can be successfully performed on 
TTM this cryptosystem, as soon as we can find out the vector spaces Vo = 
S ,_ 1 ({0 } 2 x K 62 ) (corresponding to aq = £2 = 0) and Wo = 5 _ 1 (iV 2 x {0} 62 ) 
(corresponding to £3 = ... = £64 = 0). At first sight, the equations giving y\ 

and y 2 seem to be quadratic in (#4 ,£ 64 )- This leads a priori to an instance 

of MinRank(2). 

However, note that the function £ 1 — £ 2 is linear on K = GF(256), consid- 
ered as a vector space of dimension 8 over F = GF(2). Therefore, considering 
the equations describing the (secret) P function of TTM 1 , if we choose a basis 
(uq, . . . ,£>8) of K over F and write £/ = % iaq + . • . + £*,8^8 (1 < i < 64), tq and 
j /2 become linear functions of £ 1 , 1 , £ 1 , 2 , • . . , £ 1 , 8 , • • • , £ 64 , 1 , • • • , £ 64 , 8 - In terms of 
MinRank, this means that TTM leads to an instance of MinRank(O) for 8 n x 8 n 
matrices (instead of an instance of MinRank(2) for n x n matrices). This leads 
to the following attack on TTM: 

1. Let x\ = x\ pjj\ + . . , + x' i 8 uj8 (1 < i < 64). Rewrite each public equation y[ = 
P/K, . . . , £g 4 ) as y\ = P, (x[ j , . . . , £g 4 8 ) (with P t a quadratic polynomial 
in 64 x 8 = 512 variables over F = GF(2)). 

2. Find the vector space of the 612-tuples (/?i , . . . , /3ioo, 0 : 1 , 1 , • • • , 064 ,s) € K 61 2 
satisfying: 

100 64 8 

This can be done by Gaussian reduction. We thus obtain the vector spaces 
Vo and Wo defined above. 

3. The remaining part of the attack is exactly the same as in section 3.3. 

1 See ( E ) in the appendix, in which tig is a linear transformation. 
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Complexity of the Attack 

The main part of the algorithm consists in solving a system of linear equa- 
tions on 612 variables, by Gaussian reduction. We thus obtain a complexity of 
approximately 2 28 elementary operations to break TTM. 


4.2 Solution to the TTM 2.1 Challenge of US Data Security 

In 1997, US Data Security published on the internet 3 challenges about TTM (see 
[23]). On May 2 nd , 2000, we managed to break the second challenge called TTM 
2.1. The TTM 2.1 is a public key block cipher with plaintext block size 64 and 
ciphertext block size 100. It works on 8 bits finite field GF(256). The public key 
have been recovered with approximately 2000 queries to the “encryption oracle” 
available on the internet [23]. As mentioned in 2.4, its size is 214.5 Kbytes. 
Moreover it was broken in a simpler way that we described above. By iterative 
exploration of it’s linearities, in 3 minutes on a PC we obtained the following 
plaintext which can be easily checked to be the exact solution to TTM 2.1. (note 
that the quotation marks are part of this plaintext): 

"Tao TTP way BCKP of living hui mountain wen river moon love pt" 

5 The ‘Kernel Attack’ on MinRank and TPM 

In the present section we need the strategy of attack from 3.3 and use it with a 
new attack on MinRank(r), which works when q r is small enough. 

Description of the Attack (notations are as in 3.3) 

1 . Choose k random vectors X'W , . . . , (with k an integer depending on n 
and m, that we define below). Since dim KerC' SA-i S) = n— Rank( t .SAiS') > 
n — r, we have the simultaneous conditions X'W g Ker( t SA,5) (1 < i < k) 
with a probability > q~ kr . 

2. We suppose we have chosen a “good” set {X'W, . . . , X'M} of k vectors (i.e. 
such that they all belong to Ker( t S'AiS)). Then we can find an m-tuple 

(Ai, . . . , A to ) such that, for all i, 1 < * < fe, ( XjMj) (W'W) = 0. They 

1 ' 

are solution of a system of kn linear equations in m indeterminates. As 
a result, if we let k = \ , the solution is essentially unique and can be 
easily found by Gaussian reduction. We thus obtain the two vector spaces 
Vo = S~ 1 (K n ~ r x (0} r ) (corresponding to x n - r+ \ = . . . = x n = 0) and 
Wq = S ,-1 ({0}" -r x K r ) (corresponding to xi = ... = x n - r = 0). 

3. The remaining part of the attack is exactly the same as in section 3.3. 

Complexity of the Attack 

The complexity of the attack is easily computed: 0{q ^l r • m 3 ). 
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Application to TTM 

In the particular case of TTM, we have q = 256, n = 64, m = 100 and r = 2. 
We thus obtain an attack on TTM with complexity 0( 2 52 ). 

Note: Compared to the 2 28 of section 4.1, this attack is slower, but it does 
not make use of any linearity of y\ and j/ 2 . so that it can also be used to break 
possible generalizations of TTM, with more general “Qs components” (see [4] for 
examples of Q% which provide non linear expressions for yi and 2/2 over GF(2)). 

6 The ‘Degeneracy Attack’ on TPM Signature Schemes 

We describe here a general attack on TMP signature schemes (recall that such 
schemes are possible only for u <r), when q u is not too large. From the descrip- 
tion of the attack, its complexity is easily seen to be 0{q u ■ n 6 ). We use the same 
notations as in section 3.3. In particular, m = n + u — r. 

1. We choose a random m-tuple (/3i, . . . , f3 m ) £ K m . With a probability g _u_1 , 
we can suppose that fijP t is a degenerate quadratic polynomial (i.e. a quadratic 
polynomial which can be rewritten with fewer variables after a linear change 
of variables). The fact that a quadratic polynomial is degenerate can easily 
be detected: for instance by using its canonical form (see [18] for some other 
methods). 

2. Suppose we have found a “good” m-tuple (/?i , . . . , (3 m ). Considering the new 
set of (< n) variables for the quadratic form foPi, we deduce easily the 

vector space W n - r = S~ 1 (K n ~ r ~ 1 x {0} x K r ). 

3. Then we look for a n-tuple (oq, . . . , a n ) £ K n and a quadratic function g n ~ r , 
such that: 

Y2 $4 = Y2 aiX 'i + 9n-r( X 'l: ■■■■> O 

is true for any {x ' x , . . . , x' n ) £ !F n _ r . This can be done by Gaussian reduction. 
We thus obtain the vector space V n - r = 5 _1 ({0}” _ ^'*;x K x (0} r ) and the 
quadratic polynomial g n - r - 

4. The same principle can be repeated n—r times, so as to obtain two sequences 
of vector spaces: 

K-r C Vn-r-! C...C7 0 
W n - r D W„_ r _i D ... D W 0 . 

At the end, as in the attack described in section 3.3, we have completely 
determined the secret transformations s and t, together with the secret func- 
tions g t . As a result, this algorithm completely breaks the TPM family in 
signature mode (we recovered the secret key). 
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7 Conclusion 

We cryptanalysed a large class of cryptosystems TPM, that includes TTM as 
described by T.T. Moh [16]. They can be broken in polynomial time, as long as 
r is fixed. The proposed TTM cryptosystem [16] can be broken in 2 28 due to 
linearities. Thus we could easily break the “TTM 2.1” challenge proposed by US 
Data Security in October 1997. Even if Q$ was nonlinear, and since r = 2, it is 
still broken in 2 52 elementary operations for a 512-bit cryptosystem. 

We also showed that signature schemes using TPM are insecure. There is 
very little hope that a secure triangular system will ever be proposed. 
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Appendix: Actual Parameters for the TTM Cryptosystem 

Let Qs be the function defined by 

<38(91, • • • , 93o) = 9l + 929 + 930 + [92 + 9398 + 9495 + 9(3 9l2 + 97913] 

X [99 + (9l0 + 9l49l5 + 9l89l9 + 920921 + 922924)(9ll + 9l69l7 + 923928 + 925926 + 9l3927)]‘ 
However we obtain Qs(qi, ■ ■ ■ , 930) = <19 as soon as we substitute the c/j . .30 with: 


9i = <1 + <2<6 

92 = <2 + <3<7 

93 = <3 + <4<10 

94 = <3<5 

95 = <3<ii 

96 = <4<7 

97 = <4<5 

98 = <7 + <5<11 

99 = tg + <s<9 

9l0 = <8 + <12<13 

9ll = <9 + <14<15 

9l2 = <7<10 

9i3 = <io<n 

914 = <12 + <7<8 

915 = <13 + <11<16 

916 = <14 + <10<12 

9i7 = <15 + <n<i7 

918 = <12<16 

9l9 = <11<12 

920 = <8<13 

921 = <7<13 

922 = <8<16 

923 = <14<17 

924 = <7<11 

925 = <12<15 

926 = <10<15 

927 = <12<17 

928 = <11<14 

929 = <18 + <1 

930 = <19 + <18 
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We put n = 64, v = 36, and we consider the U = U(ui , . . . , trig) (1 < i < 19) 
as randomly chosen linear forms (i.e. homogeneous polynomials of degree one in 
til, . . . ,tir9), satisfying the following conditions: 


- fi(«i, . . . ,ui 9 ) = ui ; 

- t is (tii, • • • , U19) = uis ; 

- 1 19 (til, • • • ,til 9 ) = «i 9 ; 

- <6 (tii, . . . , tii 9 ), <7(111, . . . , tii 9 ), <i8 (tii, • • • , tii 9 ) and <i 9 (tti, tii 9 ) depend 

only on the variables ti6, U7, . . . , U17, 


We thus obtain polynomials q t = qi(ui, . . . , uig) (1 < i < 30) of degree two in 
tii, ... , tii 9 . Finally, we choose: 


P(Z65, ■■■, Z100) = Q8(Z93, • • • , 2100, ^73, • • ■ , ^92, ^63, Z 64) 

<9(^65, • • • i ^lOo) = <98(^65, ■ • ■ , 292, 261, ^62) 

/ 6 l(xi, . . . ,£ 6 o) = q29(%9, aril, . . • ,£lft,£51, • • • ,*62) - £61 

f62(xi, ■ ■ ■ ,Xei) = q3o(XQ,Xn, . . . , £l6,*51, . . . ,£62) — *62 

f63(xi, ■ ■ ■ ,£62) = <729(2:10, £17, • • • ,£20, £15, Xie, £51, • • • ,2:60,2:63,2:64) — £63 

/64(£l, • • • ,£63) = <730 (3:i0, £17, • • • ,2:20, 2:15, *16, £51, • • • ,2:60,2:63,2:64) — *64 

/ 65 (£l, . . . ,£54) = 91 (£9, Xu, £16, *51, • • • ,2:62) 

/ 92 (* 1, • • • ,*9l) = 928(2;9, £ll, • • • ,*16, £51, • • • ,*62) 

/ 93 (* 1, • • • ,£92) = <7l(£l0,£l7, • • • ,£20, *15, £16, £51, • • • ,£60, *63, £64) 

/l00(*l, ! • • • ,£99) = 98(*10,£l7, • • • ,£20, *15, £16, £51, • • • ,£60, *63, £64) 


and randomly chosen quadratic forms for /; (2 < i < 60). 
Let us denote 6 : K 6i —> K 100 the function defined by 


0(x 1, . . . ,£ 6 4 ) = (£ 1 , • • • ,£ 64 , 0 , ... , 0 ). 


Hence (£i , . . . , £ 6 4) (pu j/ioo) = $3 ° $2 ° 0 (xi , . . . , £64) is given by the 

following system: 
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2/1 = X! + [f 19 (£9,2:11, . . . ,2:16,2:51, • • • ,X 6 2 )] 2 (= x\ + £§2) 

V2 = X 2 + h(Xl) + [t 19(2:10, 2:17, . . . ,2:20, 2:15, 2:i6, 2:51, . . .,X 6 o,X 6 3,X64:)] 2 
(= X 2 + f2(xi) + xj A ) 

2/3 = X 3 + f 3 (X!,X 2 ) 


(E) 


y60 = xeo + f 6 o(xi,...,x 59 ) 

2/61 = <729(2:9,2:11, . . . ,£16,2:51, . . . ,2:62) (= 2561 + £9) 

2/62 = 930(2:9,2:11, ■ ■ • ,2:16,2:51, . . . ,2:62) (= 2: 6 2 + £§l) 

2/63 = 929(2:10,2:17, • • • ,2:20, 2:15,2:16, 2:51, . . . ,2:60,2:63, 2: 6 4) 

2/64 = 930(2:10,2:17, • • • ,2:20, 2715, 2:16, 2:51, . . . ,2:60,2:63,2:64) 

2/65 = 91(2:9,2:11, . . . ,2:16,2:51, . . . ,2; 6 2) 


(= 2: 63 + £? 0 ) 
(= 2; 6 4 + 2 :§ 3 ) 


2/92 = 928(2:9,2:11, . . . ,£16,2:51, • • • ,£62) 

2/93 = 91(2:10,2:17, • • • ,2:20, 2:15, !£16, £51, • • • ,2:60,2:63,2:64) 


2/100 = 98(2:10,2:17, • • • ,2:20, 2:15, £16, £51, • • • ,2:60,2:63,2:64) 


The Public Key 

The user selects a random invertible affine transformation < 1 >\ : K 64 — » K 64 , 
and a random invertible affine transformation #4 : K 100 — > K 100 , such that the 
function F = & 4 o <Z> 3 o <? 2 0 # 0 ^1 satisfies 

F(0, . . . ,0) = (0,...,0). 

By construction of F, if we denote (y[, . . . , 2/100) = F( x i , • • • , 2:54), then we 
have an explicit set {Pi, . . . , P100} of 100 quadratic polynomials in 64 variables, 
such that: 

! y'i = -Pi(a: , i, • • • ,£6 4 ) 

2/ioo = -Pioo(2: , i, • • • , £64) 

This set of 100 polynomials constitutes the public key of the TTM cryptosystem. 


Encrypting a Message 

Given a plaintext {x\ ..... x' 9i ) e K 64 , the sender computes y\ = P,(£ / 1 , . . . , x' eA ) 
for 1 < i < 100 (thanks to the public key) and sends the ciphertext (y[, , 2/100) • 

Decrypting a Message 

Given a ciphertext (2/1, • • • , 2/ioo) e K wo , the legitimate receiver recovers the 
plaintext by: 

(atl, ■ ■ ■ , 2/ 64 ) = #1 _1 o 7T o &2- 1 O O ^g- 1 O <2>4 _1 (2/i, • • - , 2/ioo) 

with 7r : K 100 1 ► K 64 defined by 7r(£i, . . . , £100) = (£1, • • • , £64) and thus satisfies 
7T o 6 = Id. 
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Abstract. Batch verification can provide large computational savings 
when several signatures, or other constructs, are verified together. Sev- 
eral batch verification algorithms have been published in recent years, 
in particular for both DSA-type and RSA signatures. We describe new 
attacks on several of these published schemes. A general weakness is 
explained which applies to almost all known batch verifiers for discrete 
logarithm based signature schemes. It is shown how this weakness can be 
eliminated given extra properties about the underlying group structure. 
A new general batch verifier for exponentiation in any cyclic group is 
also described as well as a batch verifier for modified RSA signatures. 


1 Introduction 

Modular exponentiation is a fundamental operation for most practical digital 
signature schemes. The computational expense of both signing and verifying 
signatures is mainly due to the modular exponentiation required. Several tech- 
niques have been proposed in the literature to reduce this expense, including use 
of small exponents, and multi-exponentiation techniques [21]. An alternative way 
to realize a computational reduction is through use of batch cryptography. 

Batch cryptography is relevant in settings where many signatures (or other 
primitives) need to be generated and/or verified together. Electronic commerce 
applications are prime examples, as typically many customers interact with the 
same merchant or banking server. Although techniques have been developed to 
improve signature generation [6,16], the majority of the recent work in the area 
has focused on the batch verification of signatures. These techniques all exploit 
the homomorphic properties of exponentiation in various groups to combine a 
set of exponentiations into one equation whose computational effort is effectively 
divided amongst all the individual exponentiations required. 

The purpose of this paper is to illustrate flaws in a number of published batch 
verifiers; in some cases they are broken whilst in others we show that they do 
not provide the strength of verification claimed. We show that an observation 
of Bellare et al. [1], regarding the restrictions on use of certain batch verifiers, 
has much more serious consequences than they imply; in most applications this 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 58-71, 2000. 
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makes the tests ineffective. Through stronger assumptions on the group structure 
we show how these tests may be repaired. 


1.1 Background 

The idea of batch cryptography was introduced by Fiat [6,7]; his scheme amor- 
tized the private key operations for RSA and so was designed to assist in the 
signing and decryption operations. His idea was to batch a number of messages 
together, perform one full-scale modular exponentiation to sign the messages si- 
multaneously, and then split apart the batch into individually signed messages. 
This is achievable due to the homomorphic property of RSA and the use of 
multiple, relatively prime, public exponents, an idea introduced by Chaum [4]. 

Batch verification for DSA signatures was introduced by Naccache, M’Raihi, 
Raphaeli and Vaudenay [15]. Their scheme is designed to verify several DSA 
signatures at once by checking that a batch criterion holds and is much more 
efficient than sequential verification of individual DSA signatures 1 . Harn sub- 
sequently proposed a new method for DSA signatures requiring interaction be- 
tween signer and verifier [10] and later devised a non-interactive version [11]. 

Early work concerning (non-interactive) batch verification was also published 
by Yen and Laih [22] . Their verification techniques are proposed for batch veri- 
fication of a modification of the Schnorr or Brickell-McCurley signature schemes 
as well as for RSA. The principle, once again, is based upon the homomorphic 
properties of the respective scheme. Yen and Laih also note that to remain se- 
cure from attack, the verifier must choose random exponent values and apply 
these during batch verification. These values prevent the signer from attempting 
to introduce false signatures that would otherwise satisfy the batch verification 
criterion (the properties of this test are discussed in more detail in section 1.2). 

Recently, Bellare, Garay, and Rabin [1,2] described several techniques for 
conducting batch verification of exponentiation with high confidence that false 
values have not been mixed into the batch. The technique which they refer to 
as the small exponents test , is very similar to the algorithms of Naccache et al. 
[15] and Yen and Laih [22], while their more sophisticated bucket test turns out 
to be more efficient for larger batch instances. 


1.2 Batch Verification of Exponentiation 

First we give a general idea of how batch verification of exponentiation works 
in a group. Consider the situation where we are given n elements yi,yz, • ■ • ,y n , 
all in a multiplicative group G, and n exponents xi,X 2 , ■ ■ ■ ,x n , all integers up 
to some size (we will become more specific shortly). A fixed element g £ G is 
known. The idea of batch verification is to check that j/j = g Xi for each i without 
having to make this explicit calculation n times. In the case that the x t values 
are indeed the discrete logarithms of the respective t/j values we will say that 

1 An earlier version of the paper of Naccache et al. included an additional interactive 
batch verifier. Lim and Lee [12] showed that this version is not secure. 
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the batch is correct. A good batch verification algorithm should identify, at least 
with high probability, whenever one or more of the Xi values is not the discrete 
logarithm of the respective y*. 

All the known batch verification techniques are based on the multiplicative 
property of the group. Specifically, if the batch is correct then the following 
equation holds. 


n Vi = 5 e?=i (!) 

It is easily checked that the converse is false: if equation 1 holds then it need 
not be the case that the batch is correct. For example, adding a constant to 
one Xi value and subtracting the same constant from a different Xi value does 
not change equation 1 but invalidates the batch. Another example is where the 
correct x t values are randomly permuted. 

Various authors [15,22] have noticed this and suggested that, to turn equation 
1 into a useful batch verifier, randomisation should be introduced. This is done by 
multiplying the x^ values by small random values which must also be introduced 
as small exponents for the y, values. An attacker who wishes to have an incorrect 
batch accepted has to anticipate which random values will be used. We follow 
Bellare et al. [1] and call this idea the small exponents test. The algorithm is 
shown in table 1. Bellare et al. prove that the small exponents test is a good 
batch verifier with error bounded by 2~ l as long as q, the order of the group G, is 
prime. It can be seen that the algorithm uses one full exponentiation in G plus n 
multiplications to obtain x and finally the cost of the n small exponentiations to 
find y. Bellare et al. use a multi-exponentiation algorithm to show that the total 
average cost is l+n(l+l/2) multiplications in addition to the full exponentiation. 


Given: g a generator of the group G of prime order q, and 
(xi,yi), ( X2 , 2/2), ■ ■ ■ , ( x„,y n ) with a :< e and yi € G. Also a security parameter l. 
Check: That Vi € {1, . . . , n} : = g Xi . 

1. Pick si, . . . ,s„ G {0, 1} 1 at random. 

2. Compute x = J2™ =1 XiSi mod q and y = n™=i W- 

3. If g x = y then accept, else reject. 


Table 1 . Small exponents test for batch verification of exponentiation [1] 


We will concentrate on the small exponents test in this paper. Bellare et 
al. also propose a variation which they call the bucket test which can be more 
efficient for large batches. Our general results apply also to the bucket test and 
we discuss the difference further in section 3.2. 

A critical assumption in the small exponents test is that the yi values lie in 
the group of prime order, G. This rules out the case where G is the multiplicative 
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group Z* for n composite as used in RSA and related algorithms. Nevertheless, 
Bellare et al. have shown that there is a simpler form of verification, which 
they called screening, that applies to RSA signatures 2 . Screening shows that 
the signatures must have, at some time, been formed by the true owner of the 
private key even though none of the individual claimed signatures might actually 
be correct. Screening is sufficient in applications where it is not necessary to 
possess the signatures, but only to know that the messages were signed; an 
example might be bulk verification of certificates. 

1.3 Central Observation and Contribution 

As mentioned above, it is a requirement in the proof of correctness of the small 
exponents test that all operations are performed within a group G of prime 
order. Bellare et al. suggest that in practice this is not really a restriction as this 
setting is commonplace in many modern cryptographic schemes. 

They observe that when the order of G is not prime the small exponents 
test will not work. For an example they use G = Z*, which has non-prime order 
p — 1. Let g be a generator of Z*, and suppose y = g x mod p. Under these 
assumptions the small exponents test will not detect the invalid batch with two 
pairs (x, — y mod p), (x, y) when the small exponent for the first pair is even, 
which occurs with probability 1/2. Notice that if y lies in some prime order 
subgroup G then —y cannot lie in G. 

The theme of this paper revolves around the requirement of working in a 
prime order group, and can be summarised in two significant observations. 

1. Several authors have ignored this requirement. We give explicit attacks to 
show that their proposed batch verifiers do not work as advertised. 

2. Even when this requirement is stated, it is not usually possible to check effi- 
ciently that it actually holds in a batch presented for verification. This makes 
most applications, including batch verification of DSA signatures [2,15], in- 
appropriate unless additional properties hold. 

The remainder of this paper is structured as follows. In the next section we 
show that the claimed strong RSA batch verifiers proposed by Yen and Laih [22] 
actually provide only the weaker screening property. We also present an explicit 
attack on the batch DSA verifiers of Harn [11], showing that an outsider can forge 
a batch signature for messages of his choosing. In the following section we outline 
a general attack that is applicable to verifiers of signatures in batches, illustrating 
how this may be applied to the small exponents test for batch verification of 
DSA signatures [2,15]. The attack allows the true signer to have false signatures 
accepted by the verifier. We then demonstrate how this general attack may be 
avoided by careful choice of the prime modulus used and give a generalised 
small exponents test for any cyclic group. We finally present a batch verifier for 
modified RSA signatures. 

2 Coron and Naccache [5] pointed out that screening can fail if duplicate messages are 
present. A modified version of screening was later proven correct by Bellare et al. [2]. 
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2 Specific Attacks on Batch Verification Schemes 

In this section we look at two schemes for batch verification which do not operate 
in prime order groups. The first works with a composite modulus, while the 
second performs a modular reduction before verification which destroys the group 
structure. We show that in both cases the verification does not provide the 
assurances claimed. 

2.1 Yen and Laih’s RSA Batch Verification 

Yen and Laih [22] proposed a variation of ElGamal signatures suitable for batch 
signature verification. Here we consider the RSA batch verification technique 
that they devised as a performance comparison with their proposed scheme. 
They have essentially proposed to use the small exponents test in the RSA multi- 
plicative group. Specifically, suppose that Si,...,S n are claimed RSA signatures 
[18] on messages mi, ... , m n (where these messages have been pre-processed by 
any chosen hashing and redundancy functions). If the signatures are correct then 
Si = rnf mod N where d is the RSA private exponent and N the modulus. Small 
exponents si, . . . , s n are chosen randomly of length l. The batch verification is 
then to test if the following equation holds, where e is the RSA public exponent. 

(n*r) — II 4 mod N (2) 

Notice that this test is not as efficient as the small exponents test described 
in table 1 because it is not possible for the verifier to add the exponents on 
the left hand side modulo the group order. Furthermore, in practice a small 
value of e is often used which severely limits the benefit of batch verification. 
For example, if e = 3 then the batch verification can never be as efficient as 
individual verification of the signatures with any reasonable failure probability. 
But regardless of the test’s efficiency it is wrong to assume that is provides more 
than screening; this means that use of the small exponents is redundant since 
Bellare et al. showed that equation 2 provides screening with all s, = 1, at least 
in the case of full domain hashing. 

The simplest attack is to replace some Si values by —Si and some m, values 
by —mi (all modulo N). Then the test will still succeed with probability 1/2 
depending on the parity of the •s, values chosen. This attack can be launched 
by any party. It can be compounded by the signer who can choose an element 
a of small order t in the multiplicative group (t should be smaller than 2 l ). 
Any Si value can then be replaced by aS, mod N and the test will succeed with 
probability 1 /t. Note that it is easy to find such an a if the factorisation of N is 
known. 

2.2 Harn’s DSA Batch Verification 

Harn [11] proposed an algorithm which is essentially a direct application of 
equation 1 to variants of DSA signatures. Specifically he considers the following 
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signature algorithm. Primes p and q are chosen with q\p — 1 and a generator g 
of the group G of order q is published. A user’s private key is a number x in Z q 
and the corresponding public key is y = g x mod p. A signature of a message m 
(again pre-processed by hashing) is a pair (r, s) where both r and s lie in Z g . A 
claimed signature pair is correct if the following verification equation holds. 

r = ( g sr mod q y mr mod q mod p) mod q 

Now suppose that mi , . . . , m n is a batch of messages with corresponding set 
of claimed signatures (n, Si), . . . , (r n , s n ). Applying the multiplicative property, 
the following equation holds, which is also the proposed batch verification test. 


]^[ n mod q = (g^ =1 SiTi mod q y^= * mir '* mod q mod p) mod q (3) 

i—l 

Our first observation is that this test can provide no more than screening. 
For suppose that a batch of correct signatures is known. Keep the r t values the 
same and then choose the n — 1 values s\ , . . . , s' n _ { randomly and finally solve 
the equation 

F .s/r,/ 1 mod q = s*r mod q 
■t=l- i=i 

to obtain the value s' n . Then the batch (n, s'i), . . . , (r n , s' n ) satisfies the test but 
almost certainly none of the signatures is correct. 

Now we show that the situation is compromised even further by an explicit 
attack. With high probability it is possible for an attacker who is not the signer 
to find signatures for any chosen message set. We only need to assume that the 
attacker has any known signature for this scheme: this gives values A, B and C 
with A = ( g B y c mod p) mod q. We suppose that the attacker has chosen two 
messages for signing, say mi and m 2 (the attack is easily generalised to any 
number of messages). The attack works by making verification equation 3 the 
same as for the known signature. This is done in two steps. 

1. Solve for n and r 2 to ensure that . , 

rqr 2 = A mod q 

mirf 1 + m^r^ 1 = C mod q. 

2. Solve for si and S 2 to ensure that 

sir] -1 + 527 * 2 " 1 = B mod q. 

The simultaneous equations in step 1 can be reduced to the quadratic equa- 
tion (m 2 /A)ri — CVi+mi mod q which can be solved by completion of the square 
as long as the discriminant C 2 — 4 mim 2 /A is a quadratic residue modulo q. On 
the assumption that mi and m 2 are random (they are the result of hashing) this 
will be the case with probability 1/2. Step 2 can then be completed by choosing 
Si randomly and solving for S 2 . 
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The attack can be generalised for any number of messages to be forged. In 
step 1 all but two of the r* values can be chosen randomly and then the remaining 
two found by solving a quadratic equation as described above. Step 2 proceeds 
as above with all but one of the values chosen at random. It is interesting 
to note that this attack will not work if random small exponents are added to 
the verification equation. However, since there is no security proof it would be 
dangerous to rely on such a test. 

3 General Attack on the Small Exponents Test 

In this section we show that the small exponents test described in table 1 is 
much less useful that it at first appears. We will show that many of the proposed 
applications for the test are, in fact, not appropriate at all. 

3.1 Attacking Batch Verification of DSA 

In order to explain the weakness we first describe the batch DSA verification 
proposed by Bellare et al. [2]. (Note that this application was not included in 
the shortened version of the paper published at Eurocrypt’98 [1]). As previously 
suggested by Naccache et al. [15] the verification algorithm is applied not to the 
original DSA signature scheme but to a slightly altered version. 

The setting is again in a subgroup G of Z* of prime order q where a user’s 
private key is a; £ TL q with public key y = g x £ G. The signature of a (pre- 
processed) message m is a triple (A, s, m) which satisfies the following verification 
equation, where r = A mod q. 

A = g ms mod q y rs mod q mod p 

The difference in original DSA is that A is replaced by r, and the verification 
equation is reduced modulo q. This means that the original DSA signature is only 
twice the size of q instead of the size of q plus the size of p in the revised version. 
Since typical sizes of p and q would be 1024 and 160 bits respectively, this is 
a significant extra overhead which might be worthwhile for the computational 
gains of batch verification. Note that the modified version can easily be converted 
into an original DSA version at any time by replacing A with r. Bellare et al. 
applied the small exponents test to a batch of modified DSA signatures as shown 
in table 2. 

We now apply our main observation to the algorithm: at no time in the 
algorithm is it checked that the A, values are actually within the group G as 
they should be. Once this is observed it is straightforward to develop an attack. 
(In contrast to the attack in section 2.2 only the true signer can carry out this 
attack.) Similar to the attack on Yen-Laih’s algorithm in section 2.1, the idea 
of the attack is to replace one or more A, values by —A, and the signatures will 
be accepted with probability 1/2. Because the bi values in the test depend on 
A i the attacking signer needs to choose \ first and then find s t . Specifically the 
signer proceeds as follows to run the attack with one or more of the messages 
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Given: Public parameters p,q,g a public key y and a batch of claimed signatures: 
(Ai, si, mi), . . . , (A n,s n ,m n ) with Si €. and Aj € G. Also a security parameter l. 
Check: That V* € {1, . . . , n} : A, = g rriiS * mod 9 y riS i mod q mod p. 

1. For i = 1, . . . , n set a, — s“ * 1 2 3 mi mod q and bi = s~ 1 X i mod q. 

2. Pick wi,...,w„ £ {0, 1}* at random. 

3. Compute A = J27=i aiWi m °d OS B = ^ iWi m °d 1’ and R = 117=1 ^7*- 

4. If g A y B = R then accept, else reject. 


Table 2. Small exponents test for batch verification of modified DSA [2] 


1. Choose ki randomly in Th q and set L, = g ki mod p. 

2. Set A i = —Li mod p, r, = A* mod q and Sj = + xri) mod q. 

3. Present (A*, s,., rrij) to the verifier as part of the batch. 

It follows that 


gTn i s i mod qyT i s i mod q m0( j ^ _ gki m0( j p = 

and since L ? = A? mod p this will go undetected if the verifier chooses this uy 
to be even which happens with probability 1/2. 

As with the attack on Yen-Laih, it can be generalised by substituting Aj = 
aLi mod p for an element a with any order t where t\p — 1 and t <2 l . Usually 
there will be many such t values that can be chosen. Then the signature will be 
accepted with probability 1/t. 

We would like to emphasise that this does not invalidate the theorem proven 
by Bellare et al. regarding the security of their small exponents test since it is 
an assumption in table 1 that the y t values are in the group G. Furthermore, 
strictly the application is correct as long as the Aj values are in G, but this is 
not a reasonable assumption in practice. 


3.2 Other Schemes Susceptible to the Attack 

Several other published schemes make essentially the same unjustified assump- 
tion. An attack on the earlier DSA batch verification scheme of Naccache et al. 
[15] is identical to that proposed above. A similar attack on the batch verifier 
for a Schnorr signature variant proposed by Yen and Laih [22] is possible. Note 
that if all (or most) of the small exponents will be chosen to be odd, such as 
is suggested by Naccache et al., the substitution should be made on an even 
number of Aj values for the attack to succeed. 

Another application that is vulnerable is a recent proposal for batch ver- 
ification of coins in Brands’ cash scheme [17]. In this proposal the merchant 
essentially uses the small exponents test during the payment protocol to ver- 
ify a batch of coins together; a batch test is also used by the bank at deposit 
time. A possible consequence of the above attack is that a customer can frame 
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a merchant since there is a high probability that the customer can have a bad 
coin accepted at payment time but that it will be rejected by the bank during 
deposit. 

The alternative bucket test of Bellare et al. [1] is also vulnerable to the same 
attack, since it basically consists of a series of small exponent tests run on random 
partitions of the batch. However, in many instances it will detect the attack with 
much higher probability than the small exponents test. The bucket test uses an 
additional parameter m, repeats the partitioning \l/{rn — 1)] times, and runs 
the small exponents test with parameter m in place of l. So a value A, replaced 
by —A i will be detected with probability 1/2 for every repetition, or 2 - l 7 / 0 - 1 )l 
overall. This is still much worse than the claimed probability of failure of 2~ l . 

4 Repairing the Small Exponents Test 

An obvious way to prevent the attack is to check that the A* values in table 2 are 
indeed in G, as required by the small exponents test. However, there does not 
appear to be any way to do this that does not totally negate the computational 
savings of the test. For example, to test directly that A? mod p = 1 would require 
n extra exponentiations. Note that it is not sufficient to check, for example, that 
the product of the A, values are in G. 

The main problem in ensuring that the proof still holds is to avoid elements 
of low order in the ‘large group’. The element of order 2 is always present in Z* 
so we have to accept that there may sign changes in a batch that passes the test. 
In this section we show that through judicious choice of p it is possible to avoid 
any other problems. 


4.1 Dealing with Prime Order Subgroups 

First of all we assume that p is chosen to be of the form p— 1 = 2 rq where r and q 
are both primes. The modified form of the small exponents test is shown in table 
3; the differences from that in table 1 are small but significant. In particular there 
is no assumption that the t/, values lie in G. A consequence of this difference is 
that exponentiations are only known to be correct up to a possible multiple of -1. 
This should be acceptable in most applications since it can always be corrected 
if a particular value is later found to be incorrect. 

The computational cost of the modified test is identical to that of table 1. 
Using an improved algorithm for multiexponentiation, Bellare et al. [1] calculated 
the total cost of the test as l + n(l + 1/2) multiplications plus the cost of the 
exponentiation. The exact cost will depend on the size of the values of p, q and 
l (as well as the algorithms used for exponentiation and multi-exponentiation). 
Reasonable values today might be |p| = 1024, \q\ = 160 and l = 60. 

Theorem 1. Suppose p is a prime and G a subgroup ofZ* of prime order q. If 
p — 1 = 2 qr where r is prime and min(q, r) > 2 l then the algorithm in table 3 is 
a batch verifier which fails with probability at most 2~ l . 
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Given: g a generator of the subgroup G of Z* and (*i, j/i), (*2, j/2), • • • , ( x„,yn ) with 
Xi € Z 9 and yi € Z*. Also a security parameter l. 

Check: That V* 6 {1, . . . , n} : ±yi = g Xi . 

1. Pick si, . . . , s„ 6 {0, 1}* at random. 

2 . Compute x = J2i=i x i s i m °d 1 an d V = IIILi Vi* ■ 

3. If g x = y then accept, else reject. 


Table 3. Modified small exponents test for batch verification of exponentiation 
in Z* 


Proof The proof is basically similar to that of Bellare et al. for their small 
exponents test but there are a few extra problems to consider. Suppose that go 
is a generator of Z* and suppose, without loss of generality, that g = ($'. We 
can then write y-i = gff for some x\ with 1 < x\ < p — 1. Suppose that the test 
passes; then the following equation holds. 



Because go is a generator of Z* we have 

2r(siXi + . . . + s n x n ) = x^si + . . . + x' n s n mod (p - 1) 
which we may re-write as the following. 

si(x[ — 2rxi) + . . . + s„(x' n — 2 rx n ) mod (p — 1) = 0 (4) 

Suppose that for at least one value of i we have ±y t 7^ g Xi . Without loss of 
generality let us assume that * = 1. If we suppose that the values of 82, ■ ■ ■ , s n 
have been chosen, then equation 4 is a linear equation in si and the number of 
solutions for si is either 0 or v = (p — l,2rx± — x \ ) . Because p ■ 1 = 2 qr, v 
can take any of the eight values {1, 2, q, r, 2 r, 2 q, qr, 2 qr}. But the case v = 2 qr 
means that 2ra;i = x\ mod p — 1 so y, = g Xi which we have assumed is not true. 

The next largest case is v = qr, so that we have either 2rx\ = x\ mod p — 1 
or 2rxi + qr = x\ mod p — 1. The former possibility is ruled out and the latter 
possibility means that yi = gff = g^ rxi+ i r = —g Xl which is also assumed not to 
hold. 

The remaining cases do not satisfy the check so we need to show that they 
occur with small probability. The next largest case is v = 2 r. Although in this 
case there are many solutions to equation 4, these solutions are evenly distributed 
in the sense that if X is any solution for Si then X + q is also a solution. This 
means that there is at most one solution for Si in the range 0 < sq < 2 l since 
q > 2 l . A similar argument holds for all other possible value of v. Since si is 
chosen randomly the probability that equation 4 holds when ±yi g Xl is thus 
at most 2~ l . The same is then true if all si, . . . , s n are drawn independently and 
randomly. □ 
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It can be seen from the proof that the requirement that p— 1 = 2 rq is stronger 
than necessary. In fact it is necessary only that p— 1 has no factors smaller than 
q apart from 2. Efficient methods to generate primes satisfying either of these 
conditions have been described by Lim and Lee [13]. They suggest that to satisfy 
p— 1 = 2 rq, the prime r should be chosen first and then random primes q of the 
desired size chosen until p is prime. For |p| = 1024 only around 710 trials for q 
will be required which is a very practical requirement. 


4.2 Generalisation and Applications 

There are a number of ways that the modified small exponents test can be 
extended. We give a generalised form in table 4 which applies to any cyclic 
group. This algorithm can only give assurance of the correctness of the batch up 
to multiplication by an element of order less than 2 l . Therefore, in applications it 
will be useful to ensure that the group order has as few small factors as possible. 
The following theorem shows that the algorithm is a correct batch verifier. The 
proof, which is a generalisation of the proof of Theorem 1, is omitted due to 
space restrictions. 

Theorem 2. The algorithm in table 4 is a batch verifier which fails with prob- 
ability at most 2~ l . 


Given: g a generator of a cyclic group H of order w and (* *1,3/1), (*2,3/2), , (*n,3/n) 

with Xi € and yt € H. Also a security parameter l. 

CHECK: That Vi 6 (1, . . . , n} : ay,. = g x ’ for some element a 6 H of order less than 
2 l . 

1. Pick si, . . . , s n 6 {0, 1}* at random. 

2. Compute x = Yfi=i x i s i m °d w and y = n'Lt Vp ■ 

3. If g x = y then accept, else reject. 


Table 4. Generalised small exponents test for batch verification of exponentia- 
tion in any cyclic group 


There are a number of useful applications of our modified small exponents tests. 

— DSA batch verification can be achieved by adapting the algorithm of table 2 
to verify the signature up to multiplication of each A ; by -1. The algorithm 
is identical except 

• we require that p — 1 has no factors smaller than 2 l apart from 2. 

• we do not assume that A, is in a prime order subgroup. 

Of course the attack in section 3.1 still holds so if this verification is to be 
used it is necessary to adapt the DSS algorithm so that (r, s, m) will be a 
correct signature if either of the following checks passes. 
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r = ( g ms mod q y rs mod q mod p) mod q (5) 

( p — r ) mod q = ( g ms mod q y rs mod q mod p) mod q (6) 

Although it seems intuitively reasonable that this extension to DSA signa- 
tures is as secure as original DSA we do not offer any proof. 

— Bellare et al. [1] have asked whether a batch verifier for exponentiation can 
be found for Z* rather than in a prime order subgroup. The algorithm in 
table 4 answers this question in the affirmative (up to multiplication by -1) 
with the condition that p — 1 has no small factors apart from 2. 

— The bucket test of Bellare et al. [1] is an extension of the small exponents test 
and it is immediate to extend our test in the same way. The computational 
cost will be the same as that of the original bucket test. 


5 Batch Verification of RSA Signatures 

As mentioned previously, Bellare et al. introduced screening as a weaker form 
of verification for RSA signatures. In this section we will use the ideas from 
the previous section to derive batch verification of a slightly modified definition 
of RSA signatures. This variation was already used by Gennaro et al. [8] in a 
different context. Specifically, the set of signatures on a message m, randomised 
appropriately, is defined as 

SIG(m) = {S ro : S m = am d ,ord(a ) < 2}. 

For an RSA modulus, N = pq, there are four possible signatures of every mes- 
sage. In addition to 1 and -1 there are two ‘non-trivial’ square roots of unity and 
knowledge of either of these allows N to be factorised. Consequently an oracle 
to forge a signature in SIG(m) can be used to forge an ordinary RSA signature 
either directly or by allowing factorisation of N. 

The next restriction we need is that N should be the product of two safe 
primes: N = pq where (p — l)/2 and (q — l)/2 are also prime. Since there is 
an efficient method to prove that N is of this form [3,14] this property can 
be checked when the public key is certified or, if necessary, prior to the batch 
verification. Our batch verification algorithm for RSA is given in table 5. The 
proof of the following result is omitted due to space restrictions. 

Theorem 3. The algorithm in table 5 is a batch verifier which fails with proba- 
bility at most 2~ l . Its cost is approximately Z(n + 2) + 1.5|e|-|-n— 1 multiplications 
modulo N . 


Batch verification of RSA is counter-productive when e is small, as the cost of 
conventional sequential verification of the n signatures will be 1.5n|e| multipli- 
cations. The algorithm is worthwhile when e satisfies 


l(n + 2 ) 

1.5(n — 1) 


2 

3 
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Given: A modulus N which is the product of two primes and 
(Si, mi), (£2, m2), . . . , (S n , m„) with Si, mi 6 Zjv- Also a security parameter l 
with 2 l < rnin(p', q'). 

CHECK: That V* € (1, . . . , n} : OiSf = mi for some element a € Z* of order not more 
than 2. 

1. Check that (Si,N) = 1 for all i. 

2. Pick si, . . . , s„ € {0, 1}* at random. 

3. Compute x = (IIILi ^YY mod N and V = n"=i m V' mod N - 

4. If x = y then accept, else reject. 


Table 5. Small exponents test for batch verification of RSA signatures 


Thus for large n we require that \e\ « 2//3 before the test becomes useful. Small 
values of e such as 3 or 2 16 + 1 will never benefit from our batch verification. 
There are certain situations where a random, or large, e is desirable [19] . For a 
random e our test provides immediate gains for any reasonable size of N. 

6 Conclusion 

In this paper we have outlined several new attacks on batch verification tech- 
niques in the literature including a general attack on batch verification which 
affects most of the prominent schemes. We have shown how this attack may be 
avoided by careful choice of the modulus and weakening the acceptance condi- 
tion. We have also provided a new batch verifier for exponentiation in any cyclic 
group and a batch verifier for modified RSA signatures. These results answer 
many of the open questions posed by Bellare et al. [1] . 
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1 Abstract 

The past twenty years have seen cryptography move from arcane to common- 
place, from difficult to easy, from expensive to cheap. Many influences are at 
work. These include: the professionalization of cryptographers, in which the 
IACR has played a significant role; the creation of textbooks and of courses; 
the steady growth of computational power delivered by the operation of Moore’s 
Law; the algorithmic advances made by cryptographic researchers and engineers; 
the rise of e-commerce and wireless infrastructures which have a seemingly end- 
less appetite for cryptographic services; the entry of many young people into the 
field; and the easing of government export controls. We envisage a near future 
where cryptographic operations will be as pervasive, cheap and unremarkable as 
IP protocol operations have become today. 

Some things about this future are already clear. Cryptographic operations 
will disappear into the infrastructure. The complexities of cryptography and of 
cryptographic key management will be hidden from users. New sorts of protocols 
will become practical. New sorts of businesses will be possible. We will describe 
several such protocols and businesses. Other important aspects of this future 
are less clear, such as the social, economic, and political implications. We will 
hazard guesses at these and other impacts of cryptography everywhere. 

2 Pointer to Further Detail 

Further materials may be found at 
http://www.anagram.com/berson/ac2000.html. 
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Abstract. Assuming a cryptographically strong cyclic group G of prime 
order q and a random hash function H , we show that ElGamal encryption 
with an added Schnorr signature is secure against the adaptive chosen 
ciphertext attack, in which an attacker can freely use a decryption oracle 
except for the target ciphertext. We also prove security against the novel 
one-more- decryption attack. Our security proofs are in a new model, cor- 
responding to a combination of two previously introduced models, the 
Random Oracle model and the Generic model. The security extends to 
the distributed threshold version of the scheme. Moreover, we propose a 
very practical scheme for private information retrieval that is based on 
blind decryption of ElGamal ciphertexts. 


1 Introduction and Summary 

We analyse a very practical public key cryptosystem in terms of its security 
against the strong adaptive chosen ciphertext attack (CCA) of [RS92] , in which 
an attacker can access a decryption oracle on arbitrary ciphertexts (except for 
the target ciphertext.) Let a signed ElGamal encryption of a message be an 
ElGamal ciphertext together with a Schnorr signature of that ciphertext — 
the public signature key is given by the ElGamal ciphertext. We prove that this 
scheme is secure against generic attacks where both the group G and the random 
hash function H are black boxes. 

The traditional versus the new security model. Assuming a strong cyclic group 
G and a random hash function H we prove tight bounds on the success proba- 
bility of a generic attacker performing some t generic steps. Our approach has 
practical consequences. It yields very practical cryptographic schemes that are 
provably secure in a reasonable, new security model, the random oracle and 
generic model (ROM+GM). The ROM goes back to Fiat and Shamir [FS86] 
and has been further enhanced by Bellare and Rogaway [BR93], while the 
generic model (GM) goes back to Nechaev [Ne94] and Shoup [Sh97]. We intro- 
duce the combination of these two models, the result of which seems to cover all 
practical attacks at hand. Namely, security in ROM+GM allows a separation of 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 73-89, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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potential weaknesses of the group G, the hash function H and the cryptographic 
protocols using G and H. It allows a modular replacement of weak hash func- 
tions or groups without forcing changes to the cryptographic protocols. Whereas 
the security guarantees of most efficient groups and hash functions are merely 
heuristics based on the absence of known attacks, we obtain tight bounds on 
the success of arbitrary generic attacks. While we do not have to rely on any 
unproven assumption, it is the case that our security guarantees hinge on the 
existence of strong hash functions H and groups G for which the combination 
(G, H) has no weaknesses. On the other hand, we do not assume that the dis- 
crete logarithm (DL) problem or to the Difhe-Hellman problem is hard — our 
security proof contains a hardness proof of the DL-problem in the generic model. 

The new ROM+GM is a powerful tool for proving security against interactive 
attacks. In this paper we merely consider encryption. For security in ROM+GM 
of Schnorr signatures — in particular security of blind signatures against the 
one-more signature forgery — see [SJ99]. Recently, it has been shown [ScOO] 
that the generation of secret DL-keys from short random seeds through a strong 
hash function is secure in GM. 

Notions of security. Let G be a cyclic group of prime order q with generator g, 
and let Z q be the field of integers modulo q. A Difhe-Hellman key pair consists of 
a random secret key igZ, and the corresponding public key h = g x £ G. Difhe- 
Hellman keys give rise to many cryptographic schemes, for example ElGamal 
encryption [E85]. An ElGamal ciphertext of message m € G is a pair {(/' . mh r ) £ 
G 2 for random r £ Z q . ElGamal encryption is indistinguishable [GM84] — it is 
secure against a passive, merely eavesdroping adversary. Formally, an attacker, 
given distinct messages mo, mi and a corresponding target ciphertext cipb for 
random b £ {0,1}, cannot guess b better than with probability \. However, 
ElGamal encryption is completely insecure against various active attacks, where 
a decryption oracle can be used under appropriate conditions. 

A powerful active attack is the CCA-attack of Rackoff and Simon [RS92]. 
CCA-security means indistinguishability against an adversary that can freely 
use a decryption oracle except for the target ciphertext. Dolev, Dwork and 
Naor [DDN91] propose another notion of security against active attacks, called 
non-malleability. Here the adversary — which is given a decryption oracle — 
tries to create another ciphertext that is related in an interesting way to the 
target ciphertext. Non-malleability and CCA-security have been shown to be 
equivalent [DDN98]. 

Previous work. The public key encryption schemes of Shoup, Gennaro 
[SG98], Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway [ABR98] , 
Fujisaki, Okamoto [F099], Shoup [ShOO] and Zheng, Seberry [ZS92] all 
extend variants of ElGamal encryption by an added signature or tag. This idea 
first appears in [ZS92] without a security proof. CCA-security has been proved 
in [SG98, CS98, ABR98, F099, ShOO]. The schemes in [SG98, CS98, ABR98, 
ShOO] either use an involved tag construction or key generation to simplify the 
reduction to the discrete log or to the DifRe-Hellman problem, the tag in [ABR98] 
uses symmetric encryption. We consider the very practical, signed extension 
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of ElGamal encryption, which was independently proposed by TsiOUNlS AND 
Yung [TY98] and Jakobsson [ J 98] . Herein, an ElGamal ciphertext ( g r ,mh r ) 
is completed by a Schnorr signature [Sc91] providing a proof of knowledge of 
the plaintext m and of the secret r — the public signature key g r is given by the 
ciphertext. CCA-security of this signed ElGamal encryption has been shown in 
[TY98] under the assumption that the signer really ’’knowns” the secret signature 
key r. That assumption holds in the ROM if there is only a logarithmic number 
of interactions with the decryption oracle. 1 

Our results. We ’’validate” the [J98,TY98]-assumption that the signer really 
’’knows” the secret key r in the ROM+GM. We give a plaintext extractor, and 
we prove security against a generic CCA-attacker performing some number t = 
o{^fq) of interactions and generic group steps. A CCA-attacker can freely use 
a decryption oracle except for the target ciphertext. We show that a generic 
CCA-attacker using t generic steps, and given distinct messages mo, mi, a target 
ciphertext cipb for random b Gr {0, 1}, cannot predict b with probability better 
than f + t 2 /q. This probability is over the random hash function H, the random 
public encryption key h, the coin tosses of the encipherer, and the random bit 
b. This bound is almost tight, as a generic attacker, given the public key h, can 
compute the secret decryption key with probability / q in t generic steps. This 
result improves the known security guarantees for signed ElGamal encryption. 
Moreover, our security proofs extend to a straightforward distributed threshold 
version of signed ElGamal encryption, see [SG98] for the threshold setting. 

Furthermore, we introduce the one-more decryption attack and we show that 
signed ElGamal encryption is secure against this attack. In the one-more de- 
cryption attack the adversary attempts to partially decrypt £ + 1 ciphertexts by 
asking a decryption oracle some £ times. The new attack is not covered by the 
adaptive chosen ciphertext attack, as the latter relates to a single target cipher- 
text. Interestingly, security against the one-more attack follows from plaintext 
awareness (PA) as defined in [BR94]. Proving PA is the core of the proof of The- 
orem 1 and 2. 2 For motivation of the one-more decryption attack, we propose a 
practical scheme for private information retrieval. It is based on blind decryption 
and security against the random one-more attack — which is a weak version of 
the one-more decryption attack. 

Generalized (signed) ElGamal encryption. Finally, we propose a more general 
variant of (signed) ElGamal encryption with two major advantages. Firstly, for 
long messages our generalized encryption is very fast and its data expansion rate 
approaches 1. Secondly, the generalized encryption does not require messages to 


1 The FFS-extractor of Feige-Fiat-Shamir, in the oracle replay mode of Pointcheval 
and Stern [PS96], extracts the secret signature key from signed ElGamal encryp- 
tions. The FFS-extractor has a constant delay factor, and thus can in polynomial 
time at most be iterated a logarithmical number of times. 

2 It seems that PA is the most important security notion for encryption. E.g., 
[BDPR98] show that PA and IND-CPA imply CCA-security while the converse does 
not hold. PA requires the ROM, security proofs without assuming the ROM do not 
prove PA. 
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be encoded into the group generated by the public key h. 3 Let the message space 
be an arbitrary additive group M, e.g., M = Z” for some n. Let a generalized 
ElGamal ciphertext be a pair ( g r ,m + HM(h r )) for random r £ Z q , where 
Hm : G —> M is a random hash function. We then add a Schnorr signature 
(using the public signature key g r ) to the ciphertext ( g r ,m+HM(h r )) £ GxM. 
This signed generalized ElGamal encryption has provably the same security as 
signed ElGamal encryption, without any further assumptions. 

The structure of the paper. In Section 2, we introduce the generic model for 
interactive algorithms that use a hash oracle and an oracle for decryption. We 
propose a setup for the GM that slightly differs from the [Sh97] proposal in that 
we do not assume a random binary encoding of group elements. We examplify 
the difference of the two setups for the baby-step-giant-step DL-algorithm. While 
our generic algorithms do not allow for efficient sorting of group elements this 
does not affect the number of generic steps as equality tests of group elements 
are free of charge. 

In Section 3, we review signed ElGamal encryption, which is based on the 
original ElGamal encryption. Moreover, we generalize the original and the signed 
ElGamal encryption. Then we introduce the main tools for proving security in 
the GM. We show in Lemma 1 and 2 that a collision-free, non-interactive generic 
attacker A gets no information on the secret random data — the secret key, 
the random number r , etc. — except that A observes the absence of collisions. 
Lemma 1 bounds the probability for non-trivial collisions. This bound also covers 
the leakage of secret information through the absence of collisions. 

Section 4 presents the proof of CCA-security of signed ElGamal encryption in 
the ROM+GM. It gives a generic extractor that extracts the signature key f = 
log g h from a signed ElGamal ciphertext ( h,f,c,z ), produced by the attacker. 
We also prove security against the one-more decryption attack. We motivate this 
novel attack by interesting services for trading encrypted data. 


2 The Random Oracle and the Generic Model 

The Random Oracle Model (ROM). Let G be a group of prime order q 
with generator g , a range M of messages, and let Z q denote the field of integers 
modulo q. Let H be an ideal hash function with range Z q , modelled as an oracle 
that given an input (query) inGxM, outputs a random number in Z q . Formally, 
H is a random function H : G x M — > Z q chosen at random over all functions of 
that type with uniform probability distribution. There is an ongoing debate on 
whether the assumption of a random hash function is realistic or too generous. 
The problem is that random functions can in principle not be implemented by 

3 Encoding of arbitrary bit sequences into sequences of group elements is easy for 
particular groups such as Z* that correspond to an interval of integers. For general 
groups, even for subgroups of Z* N or subgroups of elliptic curves, an encoding into 
group elements is impractical. Known extensions of ElGamal encryption — see e.g., 
[MOV] section 8.26 — do not solve this encoding problem. 
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public algorithms. Canetti, Goldreich, Halevi [CGH98] present an artifi- 
cial ’’counter-example” that is provably secure in the ROM but which cannot 
be implemented in a secure way replacing the random oracle by a computable 
function family. 4 Nevertheless, the security achievable in the ROM seems to in 
practice eliminate all attacks at hand. 

The Generic Model (GM). Generic algorithms for G do not use the binary 
encodings of the group elements, as they access group elements only for group op- 
erations and equality tests. Nechaev [Ne94] proves that the discrete logarithm 
problem is hard in such a model. The generic model of algorithms was further 
elaborated on by Shoup [Sh97]. We present the Shoup model in a slightly differ- 
ent setup 5 and we extend it to algorithms that interact with a decryption oracle. 
Encryptions are for the private/public key pair (x, h), where x is random in Z q 
and h = g x . We describe the extended generic model in detail, first focusing on 
non-interactive algorithms and thereafter on algorithms interacting with oracles 
for hashing and decryption. 

The data of a generic algorithm is partitioned into group elements in G and 
non-group data. The generic steps for group elements are multivariate exponen- 
tiations: 

• mex: Z q x G d — > G, (oi, ..., ad, gi, ■■■,gd) l ~ > EL 9i* with d > 0. 

The cases d = 2, gi = 1, = ±1 present multiplication/division. The case d = 0 

presents inputs in G — e.g., g, h are inputs for the DL-computation. 

Def. A (non-interactive) generic algorithm is a sequence of t generic steps 6 

• /i, . . . , ft' € G (inputs) 1 < t' < t, 

• fi = n;=i fj 3 f° r i = t' + 1, . . . ,t, where (oi, . . . , a,_i) e Z* -1 depends 
arbitrarily on i, the non-group input and the set CO,-i := {(j, k) \ 

fj = fki 1 < j < k < i — 1} of previous collisions of group elements. 

Typical non-group inputs are represented by elements in Z q — which we assume 
to be given — various integers in Z q contained in given ciphertexts or signatures. 
COt is the set of all collisions of the algorithm. 

4 In [CGH98] a mechanism for the implementation of random hash functions has been 
added to the ROM. The artificial ’’counter-example” is defined relative to that mech- 
anism using the function ensemble that implements the random oracle. 

5 We count the same generic steps as in [Sh97]; however, we allow arbitrary multi- 
variate exponentiations while Shoup merely uses multiplication and division. The 
technical setup in [Sh97] looks different as groups G are additive and associated with 
a random injective encoding o : G — ^ S of the group G into a set S of bit strings — 
the generic algorithm performs arbitrary computations on these bit strings. Addi- 
tion/subtraction is done by an oracle that computes o(fi±fj) when given o(fi),o(fj) 
and the specified sign bit. As the encoding cr is random it contains only the informa- 
tion about which group elements coincide — this is what we call the set of collisions. 

6 We can allow a generic algorithm to perform a number t of generic steps, where t 
varies with the input. We can let the algorithm decide after each step whether to 
terminate depending arbitrarily on the given non-group data. Then the number t of 
generic steps depends on the computed non-group data. 
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Some group inputs /j depend on random coin flips, e.g., the random public 
key h = g x depends on the random secret key x Gr Z q . The probability space 
consists of the random group elements of the input. The logarithms log ff of the 
random inputs fi play the role of secret parameters. Information about the secret 
parameters can only be revealed by collisions. E.g., g a = ff implies log g = a/b. 
We let the non-group input and the generator g not depend on random bits. 
The output of a generic algorithm consists of 

• non-group data that depend arbitrarily on the non-group input and on the 
set CO t of all collisions, 

• group elements f ai , . . . , f ad where the integers ..... o c i G {1, .... f} 
depend arbitrarily on the non-group input and on CO t . 

For the sake of clairifying the GM, we give an example of a generic algorithm: 

The baby-step-giant-step DL-algorithm. This algorithm is given q and 
g,h e G and computes log fl h G Z q in 2^/q generic steps. 

1. Compute k := \y/q], l := \q/k ] so that Ik — k < q < Ik. The computation 
of the non-group data k, l is for free. 

2. Form the lists Li := {g l 0 < i < k} in k - 1 multiplications and 
L 2 '■= {hgl k | 0 < j < 1} in l multiplications. Clearly, L\ n L 2 / 0. 

3. Find a collision by testing all equalities g l = hg jk . Note that the detection 
of the collision is for free. An equality implies log fl h = i — jk mod q. 

While this algorithm performs #Li x #L 2 ’’free” equality tests, the corre- 
sponding Turing machine — in the [Sh97]-setup — constructs a collision differ- 
ently, using only 0(^/q log 2 q) equality tests. It sorts the binary encodings of the 
g l and inserts the encodings of hg jk into the sorted list. 

Going back to the description of the model we work in, we now elaborate on 
interactive, generic algorithms. We count the following generic steps : 

• group operations, mex : Z q x G d — > G, (ai, ■■■, aa, gi, ■■■, gd) Tit g?* , 

• queries to the hash oracle H, 

• interactions with a decryption oracle ( decryptor for short) — see 3.1 7 . 

A generic adversary A — attacking an encryption scheme — is an interac- 
tive algorithm that interacts with a decryptor. It performs some t generic steps 
resulting in t’ < t group elements f\ , ..., f t >. A iteratively selects the next generic 
step — a group operation, a query to H , an interaction with the decryptor — 
depending arbitrarily on the non-group input and on previous collisions of group 
elements. 

The input consists of the generator g, the public key h e G, the group order 
q, a collection of messages and ciphertexts and so on, all of which can be broken 
down into group elements and non-group data. 

The computed group elements fi,...,ft r G G are the group elements contained 
in the input, such as g, h. When counting the number of group operations, we 

7 Other types of interactions are possible for other signature/encryption schemes, other 
cryptographic protocols using groups of non-prime order, groups of unknown order 
or using several distinct groups. 
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count each input as one operation. As a decryptor interaction is counted as a 
generic step the number t' of group elements is bounded by the number t of 
generic steps, t! < t. We have t = t! for a non-interactive A. 

The given non- group data consists of the non-group data contained in the 
input, the previous hash replies H(Q) of queries Q, and the set of previous 
collisions of group elements. 

A decryptor interaction (defined in subsection 3.1) is a two round determin- 
istic protocol. A claimed ciphertext is send to the decryptor, which performs a 
generic group operation using the secret decryption key x, verifies the Schnorr 
signature using the public key g r contained in the ciphertext, and — in case 
that this signature is correct — outputs the decrypted message. If the signature 
is invalid the decryptor outputs a random element of G. A’s interactions with 
the decryptor are sequential as the interleaving of these two-round interactions 
is necessarily trivial. 

A’s output and transmission to the decryptor consists of non-group data NG 
and previously computed group elements f a , where NG and a, 1 < o < t', 
depend arbitrarily on given non-group data. 

A’s transmission to the hash oracle H depends arbitrarily on given group 
elements and given non-group data. The probability space consists of the random 
H and the random input group elements. 

The restriction of the generic model is that A can use group elements only 
for generic group operations, equality tests and for queries to the hash oracle, 
whereas non-group data can be arbitrarily used without charge. The computed 
group elements /i, ..., ft 1 are given as explicit multiplicative combinations of 
group elements in the input and from decryptor interactions. Let the group 
elements in the input and from decryptor interactions be gi, ...,ge- By induction 
on j, a computed fj £ G is of the form fj = g" 3,1 ...g“ 3 ’ e , where the exponents 
aj t i, ..., djj; £ Z q depend arbitrarily on given non-group data. A can arbitrarily 
use the coefficients Uj.-i , .... ajg from this explicit representation of fj. A generic 
adversary is deterministic, which is not a restriction as its coin flips would be 
useless. 8 

Trivial collisions. We call a collision (i.j) £ CO t trivial if fi = fj holds 
with probability 1, i.e., if it holds for all choices of the secret data such as the 
secret key x and the random bits r of the encipherer. We write fi = fj for 
a trivial collision. 9 Trivial collisions do not release any information about the 
secret data while non-trivial collisions can completely release some secret data. 


8 A could select interior coin flips that maximize the probability of success — there 
is always a choice for the internal coin flips that does not decrease A’s probability of 
success. It is useless for A to generate random group elements — in particular ones 
with unknown DL. Using one generic step, A could replace random elements in G 
by some deterministic g a where a 6 Z, ; is chosen as to maximize the probability of 
success. 

9 Trivial collisions occur in testing correctness of an ElGamal ciphertext ( g r ,mh r ) and 
its message m. In case of a correct message-ciphertext pair the test results in a trivial 
collision. Also, identical repetitions of a group operation yield a trivial collision. 
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Trivial collisions can be ignored, and so, we can exclude them from COt so that 
COt consists only of non-trivial collisions. 

3 Signed ElGamal Encryption, Non-interactive Attacks 

We define Schnorr signatures, based on an ideal hash function H : G x M — > Z q , 
where M is the set of messages. Hereafter we define signed ElGamal encryption as 
well as the generalized concepts of the original and of signed ElGamal encryption. 

Lemma 1 and 2 are our main tools for proving security in GM. These show 
— for a collision-free attacker — that the secret data x, r, etc. are stat. indep. of 
all non-group data. There is, however, a minor leakage of secret information as 
the secret data are not perfectly random in the absence of collisions. We show 
in Prop. 2 that ElGamal encryption is indistinguishable (or semantically secure) 
against generic non-interactive attacks. Prop. 2 is part of the CCA-security proof 
of Theorem 1. 

Private/public key for signatures. The private key x is random in Z q . The 
corresponding public key h = g x £ G is random in G, x = log s h. 

A Schnorr signature on a message to is a triple (m, c,z) £ M x such that 
H(g z h~ c ,m ) = c. In order to sign a message m £ M, pick a random r £ r Z q , 
compute g r , c := H(g r , to) and z := r + cx. Output the signature (m, c, z). 

In order to verify a signature ( m,c,z ) check that H(g z h~ c ,m) = c. The 
signing protocol produces a correct signature since g z h~ c = g r+cx h~ c = g r . 


3.1 Definition of Signed ElGamal Encryption 

The private/public key pair for encryption is x, h = g x where x is random in Z q . 
The basic encryption scheme is for messages in M = G, ElGamal ciphertexts are 
in G x M, the added Schnorr signature signs pairs in G x M and uses a random 
hash function H : G 2 x M — > Z q . We also propose a generalized scheme, where 
the message space M is an arbitrary additive group. 

In order to encipher a message m £ G, we pick random r,s £r Z q , com- 
pute g r , mh r , c := H(g s ,g r ,mh r ) and z := s + cr and output the ciphertext 
(. g r ,mh r ,c,z ) £ G 2 x Z 2 . 

A decryption oracle (decryptor) is a function that decrypts valid ciphertexts: 
The user sends a claimed ciphertext (h, f, c, z) to the decryptor. The decryptor 
checks that H(g z h~ c , h,f) = c and sends, if that test succeeds, m := f/h x to the 
user. If the test fails the decryptor sends a random message in G. For simplicity, 
we disregard the impact of that random message to the probability. 

The decryption is correct ash = g r ,f = mh r yields f/h x = m g rx g~ rx = m. 
Remarks 1. A signed ciphertext ( g r ,mh r ,c,z ) consists of an ElGamal cipher- 
text ( g r ,mh r ) and a Schnorr signature (c,z) of the ’’message” ( g r ,mh r ) for the 
public signature key g r . The signature (c, z) does not contain any information 
about to as (c, z) depends on to exclusively via some hash value that is statisti- 
cally independent of to. 
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2. Threshold Distributed Version. The validity of the ciphertext (h, /, c, z) 
is tested prior to and separate from decryption. Hence, the security properties of 
the scheme are preserved in the more general setting of threshold cryptography, 
see [SG98] . It is possible for a distributed entity to perform the decryption in a 
controlled manner after each server first having verified that indeed the decryp- 
tion is allowed i.e., that the signature in the ciphertext is valid. If this were not 
locally verifiable, it would make a threshold decryption severely more complex. 

3. Comparison with other secure DL-cryptosystems. We count the num- 
ber of exponentiations per encryption/decryption and the number of on-line exp. 
per enc. (exponentiations not depending on the message). 10 

exp./enc. on-line/enc. exp. /dec. 

Signed ElGamal enc. 3 0 2 

[F099] El Gamal 2 2 2 

[ABR 98] 2 0 1 

[CS98], [ShOO] 4 1 2 

[SG98], TDH1, TDH2 5 2 5 

The relative efficiency of [F099], [ABR98] is due to the usage of further 
cryptographic primitives. [F099] uses private encryption, [ABR98] uses private 
encryption and message authentication code. Signed ElGamal encryption and 
TDH1, TDH2 of [SG98] are amenable to a secure distributed threshold de- 
cryption. Signed EG-encryption and the [F099] EG-scheme are plaintext aware. 
Signed ElGamal encryption virtually combines all the good properties. 

Generalized (signed) ElGamal encryption. Let the message space M be 
an arbitrary additive group, e.g., M = Z™. Let H : G 2 x M — > Z q be a random 
hash function and let Hm : G — > M be a second random hash function that 
is statistically independent of H. Then replace in the basic encryption scheme 
mh r £ G by m + i?M(h r ) G M. 

The generalized ElGamal ciphertext is ( g r ,f ), where / = m + HM(h r ), 
the generalized signed ElGamal ciphertext is ( g r ,f,c,z ), and c = H(g s ,g r ,f), 
z = s + cr. Decrypt a signed ciphertext ( h,f,c,z ) into / — HM(h x ) provided 
that the signature (c, z) of ( h , /) is correct, i.e., H(g z h~ c , h, /) = c. 

For M = the bit length of the ciphertext is log 2 |G|| + (n + 2) log 2 q, the 
message is n\og 2 q bits long and ||G|| is the bit length of the group elements. 
The data expansion rate i»-l + 1|_4- which is near to 1 for large n. 

The short generalized ciphertexts are as secure as the original ones. Encryp- 
tion requires only a long 11 and a short hash as well as a long and a short addition. 
The three exponentiations g r , h r ,g s can be done beforehand. 

10 We count an expression g z h~ c as 1 exponentiation even though it is slightly more 
expensive than a full exponentiation. 

11 Long hash values in Z/ can be generated using a random hash function Hm : G —> Z™ 
according to the following, or some related, approach: (Em(/, 1), . . . , HM{f,n)). 
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3.2 Basic Tools for Proving Security in GM 

This subsection studies to a generic, non-interactive adversary A that performs 
some t generic steps in attacking the indistinguishability of ElGamal encryption. 
Given q, the public key h = g x , two messages mo, mi £ G and an ElGamal 
ciphertext cipb = ( g r ,mbh r ) for random r,x £r Z q and b £r {0, 1}, A guesses 
b. We show that A does not succeed better than with probability ^ + 2(*) /q. 

The probability space consists of the random group elements g r ,g x ,mbg rx , 
or equivalently of the random r,x £r Z q and b £r {0,1}. Let A compute the 
group elements fi,...,f t . We let the Main Case be the part of the probability 
space where there are no non-trivial collisions among /i, ..., f t , i.e., CO t = 0. 

Lemma 1. Non-trivial collisions among fi , ..., f t occur at most with probability 
2(2 )/q. The probability refers to the random b,r,x. 

Proof. In order to prove the claim we show for i < j, fi ^ fj, for constant b and 
random r,x £ Z q that Pr r . x [f t = fj] < |. This implies 

Pr rACOt ± 0] < GAfi = fA < 2®/?- 

The input group elements are g,g r ,h, mbh r ,mo,m\. Let log s mo, log g mi be 
given, then all computed group elements are explicit combinations of (gi,gi, 
53; 54 ) = ( 9 , 9 r , h, mbh r ), thus fj = n„-i gt 3 ’ 1 ' where the exponents ayi, ..., aj t 4 £ 
Z q depend arbitrarily on given non-group data, but not on b,r,x. Consider 
r, x as formal variables over Z q . Then log g fj is a polynomial in Z q [r,x\ of 
the form + aj^r + aj^x + %, 4 (log g mb + rx). The difference polynomial 
l°g g fi ~ l°gg fj € [r, x] has total degree d > 1 as we assume that trivial col- 

lisions have been eliminated. Importantly, trivial collisions do not depend on b. 
12 As 1 < d < 2, the probability that fi{r,x) = fj(r,x) for random r, x is 13 at 
most -, thus proving the claim. Here we use a Lemma attributed to Schwartz 
[Sch80] 14 □ 

The leakage of secret information through the absence of collisions. Here we 
pay attention to the fact that b, r, x are not perfectly random if CO t = 0. By 
Lemma 1 a 2 (*) /g-fraction of the probability space is excluded in the Main Case. 
The Shannon entropy of the secret parameters b, r , x decreases accordingly. We 
can neglect this minor leakage of secret information through the absence of 
collisions. Thus, for a ’’collision-free” attacker the secret data are statistically 
indepependent of the computed non-group data: 

12 The formal polynomial log g /» — log g fj £ Z q [r, x] is of the form ci + cir + C3X + 
cfflog g mb+rx). The coefficients ci, ...,d £ Z, ; only depend on q and previous non- 
trivial collisions. If fi = fj holds for some b £ {0, 1} then C 4 = 0 and fi = fj holds 
for all b £ {0, 1}. Hence the identity fi = fj does not depend on b. 

13 The factor 2 disappears if mbh r is removed from the input — then the difference 
polynomial has total degree at most 1. 

14 Lemma [Sch80] A multivariate polynomial F £ Z q [Xi , ..., XC\ of total degree d sat- 
isfies for random xi, ...,Xk £ Z q that Pr xi ,..., xfc [F(a;i, ...,Xk) =»$]•'< d/q. 
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Lemma 2. In the Main Case the random b, r, x are stat. indep. of the computed 
non-group data except that the b, r, x leading to collisions are excluded. 

Proof. The random b, r, x, enter into the generic computation only via the group 
elements g r ,g x , mt,g rx . Therefore, b, r, x enter into non-group data only via non- 
trivial collisions of group elements. □ 

Proposition 1 . Generic DL-Complexity Lower Bound [Ne94,Sh97]. Let A, upon 
input g and h = g x Gr G, output y GZ q . Then Pr x [y = log g h] < ( 2 )/? + h- 

Proof. We use Lemma 1 and 2 for a generic A with input g. h — without inputs 
g r ,mi,h r . The factor 2 in Lemma 1 disappears as the polynomials log g fj have 
total degree < 1. For a collision- free A, x is statistically independent of the 
non-group output y, and thus Pr^,[y = Iog g h] = gj. By Lemma 1, non-trivial 
collisions occur at most with probability (A /q. □ 

Proposition 2. Indistinguishability. Let a generic, non-interactive A be given 
g, h, two messages mo, mi G G and a ciphertext ( g r , mt,h r ) for random r Gr Z g 
and b Gr {0, 1}. Let A output a guess b' for b. Then Pr b,x,r[b' =b] < ^ + 2 (*) / <7- 

Proof. In the Main Case b, r, x are stat. indep. of the non-group output b' , thus 
P r b,x,r[b' = &] = §. The Main Case occurs except with probability 2(*) /q. □ 

Extension 1 . Obviously Prop. 2 extends to generalized ElGamal ciphertexts 
(g r ,m + H M {h r )) for a random function H M '■ G —> M. Whereas A can arbi- 
trarily use the hash values H M {fi), ...,HM{ft) of the computed group elements 
these hash values are statistically independent random numbers except for col- 
lisions fi = fj. 

Extension 2. Prop. 2 extends to signed ElGamal encrytion and to generalized 
signed ElGamal encrytion. This is because the added Schnorr signature does not 
contain any information about the plaintext. 

4 Security Against Interactive Attacks 

We study the security of signed ElGamal encryption in ROM+GM. Signed El- 
Gamal encryption was independently proposed by TsiOUNlS AND Yung [TY98] 
and Jakobsson [J98]. We show in Theorem 1 that this scheme is indistinguish- 
able against the adaptive chosen ciphertext attack (CCA). This is equivalent to 
non-malleability against CCA [DDN98] . We refer to non-malleability as defined 
in [DDN98] and to the strong chosen ciphertext attack proposed by Rackoff 
and Simon [RS92]. The adversary has access to a decryption oracle which can 
be used arbitrarily except for the target ciphertext. 

Moreover, we introduce the one-more-decryption attack and we show in Theo- 
rem 2 that signed ElGamal encryption is secure against this attack. An adversary 
can — after some t interactions with the decryption oracle — not decrypt more 
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than t ciphertexts. More precisely, he gets non-negligible information about at 
most £ encrypted plaintexts. The core of the proof of Theorems 1 and 2 shows 
that signed ElGamal encryption is plaintext aware. Therefore, the attackers de- 
cryption requests for self-constructed ciphertexts can be eliminated. 

Theorem 1 proves indistinguishability against a CCA-adversary M. The ad- 
versary is given a target ciphertext cipb and a decryption oracle for the decryp- 
tion of arbitrary ciphertexts except for cipb . The attack is called adaptive because 
the queries to the decryption oracle may depend on the challenges and their cor- 
responding answers. We let the generic adversary A perform some t generic 
steps: group operations, inputs in G, queries to the oracle H, and queries to the 
decryption oracle not including the target ciphertext. 

Theorem 1. Let the attacker A be given g, h, distinct messages mo, mi, a target 
ciphertext cipb corresponding to mb for a random bit b Sjj {0, 1}, and oracles 
for H and for decryption. Then a generic A using t generic steps cannot predict 
b with a better probability than \ + t 2 /q. The probability space consists of the 
random x,H,b and the coin tosses r of the encipherer. 

Proof. We present a generic extractor £ that extracts the secret key f = log g h 
from a signed ciphertext (h, /, c, z) produced by A. Given f,h,f = mh r the 
plaintext m can be extracted in one generic step. Thus, signed ElGamal encryp- 
tion is — in a generic way — plaintext aware as defined in [BR94] . 

Let ( h,f,c,z ) be the first claimed ciphertext that A transmits to the de- 
cryptor. A has produced it without interacting with the decryptor. Let this 
non-interactive, generic computation compute group elements fi,-.,ft', t' < t. 
By Lemma 1 non-trivial collisions among fi, ■■■, ft' occur with probability no 
more than 2 (*) / q. By Lemma 2 the secret b, r, x are statistically independent of 
the non-group data of a collision- free computation of ( h , /, c, z). 

In the ROM the equation c = H(g z h ~ c , h, /), required for a valid signature, 
necessitates that A selects c from given hash values H(f a , fj,f) for given group 
elements f a , fj = h, f. Otherwise, the equation c = H(g z h~ c ,h, f) holds with 
probability | as H is random. A gets c = H(f <7 ,fj,f) from the hash oracle 15 
and must compute z so that g z h~ c = f„. i.e., A must compute z = log g {f<jfj)- 

The computed z does not depend on x, r whereas log g (f a fj) may depend. We 
distinguish between the two values as follows: We let z' := log g (fcrfj) denote the 
value required for a signature, whereas the computed 2 is from M’s transmission 
(fj,f,c, z). 

Let the target ciphertext be cipb = ( g r ,mbh r ,Cb,Zb ), where the random 
r, x £r Z g , b {0, 1} are secret and h = g x . Let log s mo, log g mi be given, then 
M’s group steps refer to the given group elements {gi,gi,g^, g±) := (<?, g r , h, mbh r ). 
A computes /< := f° r * = —,i? using exponents Oj.i, £ Z q 

that arbitrarily depend on given non-group data, but not on b, r, x. Hence z' is 
of the form 


M’s choice of c, o is determined by the claimed ciphertext (h, f, c, z) via f a = g z h c . 
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= log g(fafj) 

= d CT ,i+ca Ji i+(q (T . 2 +caj, 2 }r+(a CTi 3 +caj i 3 )ar+(a fr! 4 +caj i 4 )(log fl m b +rx). 
Considering r,x as formal variables over Z q , z' is a polynomial in Z q [r,x\. The 
random b, c, r, x are statistically independent of a CTj i, a„^. a^i, ay 4 . 

Obviously z' has total degree d = 0 if and only if a a ,k + ccij.k = 0 for 
k = 2,3,4. If the total degree d is non-zero then 1 < d < 2, and thus z' = z(c) 
holds with probability at most | for random r. x and arbitrary functions z(c). 
There are two subcases of the case d = 0: either fj = g"'*' 1 , f a = g 0 ' 7 ' 1 or 
o-<r,k = ~ ca j.k for k = 2,3,4. The second case occurs with probabilty < | as the 
hash value c is statistically indepependent of 0 ,^, 0 ^. 

Thus, a collision-free A succeeds not better than with probability | in gen- 
erating a correct signature (c, z) except that A sets fj = g “*■*, / CT = g a ‘ T - 1 . So, 
let the extractor £ compute f := hj,\ by mimicking A’s computation of h = fj. 

Eliminating all interactions with the decryptor. The plaintext corresponding 
to ( h,f,c,z ) is f/h}° e 9 h = f //b ' 3 ' 1 except for a probability |. This eliminates 
the first interaction with the decryptor and the call for H(f a , fj, /) 16 using one 
generic step for computing ///(“»■' . This decreases the number of generic steps 
and reduces ,4’s probability of success by at most |. Let there be l interactions 
with the decryptor. We iteratively eliminate them by the above method . 17 This 
transforms A into a non-interactive generic A! that performs t — £ generic steps. 
Proposition 2 applies to the non-interactive A! , because the Schnorr signature in 
cipb is useless for decryption . 18 Also, the oracle H is useless without a decryptor. 
Thus, the non-interactive A! predicts b with a probability not exceeding (t — 
£) 2 /q+ |. This proves Theorem 1 as (f — f ) 2 + Zl < (t — £ + £) 2 = t 2 for t — £ > 3. 
Note that t — £> 4 due to the input group elements g, g r , h, m b h r . □ 

Theorem 1 can easily be extended to the one-more decryption attack. 

Theorem 2. Let the attacker A be given g, h, ciphertexts dpi , ..., cipd, the cor- 
responding messages mi, ...,md in random order and oracles for H and for de- 
cryption. Let the generic A perform t generic steps including some £ < d arbi- 
trary queries to the decryption oracle. Then A cannot produce 1+ 1 message- 
ciphertext pairs with a probability better than + t 2 /q. The probability space 
consists of the random x, H, the coin tosses of the encipherer and the random 
ordering of the messages. 

16 The transformed A gets the plaintext f/h a ^ 1 of the first decryptor interaction with- 
out using the signature and its hash value required for the decryption request. If 
A does not get c from the oracle H we remove the call for decrypting (h, /, c, z) 
decreasing the number of generic steps and decreasing A’s probability of success by 



This iterative elimination is impossible in the ROM without assuming the GM, see 
footnote 1. 

The signature contained in a ciphertext does not reveal any information about the 
message m. The signature depends on m exclusively via the hash value c that is 
statistically independent of m. 
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Proof. We have shown that signed ElGamal encryption is plaintext aware, and 
the attacker can only construct ciphertexts corresponding to known plaintexts. In 
particular, the adversary A can be transformed into a generic adversary A! that 
does not query the decryptor about any self-constructed ciphertext, performs t 
generic steps and succeeds essentially with the same probability as A. A! can only 
query the decryption oracle about £ of the input ciphertexts. These £ decryptions 
give no information about the d — £ remaining input ciphertexts. This is because 
the random bits of the ciphertexts are stat. indep. We can therefore eliminate 
the £ decryptions and the resulting £ message-ciphertext pairs. This transforms 
A! into a non-interactive adversary where the argument of Lemma 1 applies. 
Consider the impact of a random permutation of the remaining d — £ messages 
for a collision-free attacker. By Lemma 2 the random permutation is statistically 
independent of A'’s guess of a correct message-ciphertext pair. Therefore, A' 
cannot guess a correct pair with a probability better than By Lemma 1 
non-trivial collisions occur with probability at most 2 / q, hence the claim. □ 

Trading encrypted information. Suppose a user wants to buy sensitive dig- 
ital information, e.g., digital music, videos, pictures, stock market analysis, etc. 
Let the digital information be freely accessible in encrypted form in a public 
data bank. For simplicity, let each encrypted package cost $1. Let the users have 
access to a public decryption oracle that charges $1 per decryption. For the se- 
curity of such trade of encrypted information the encryption scheme must be 
secure against the one-more decryption attack. 

This type of service does not require CCA-security. However, it would be nice 
to have an encryption that allows for blind decryption so that no information 
is revealed in a decryptor interaction. Blind decryption guarantees anonymity 
of the buyer of digital information. It is well known that the original ElGamal 
ciphertexts allow for blind decryption. 19 Even though, ElGamal encryption is 
insecure against the one-more decryption attack we show below that it is secure 
against the weaker random one-more attack, where the enciphered plaintexts are 
statistically independent messages — e.g. secret keys that are unknown to the 
attacker. 

Efficient scheme for private information retrieval (PIR). Let the infor- 
mation packages m* of the public data bank be each encrypted under a private 
key ki of a secure symmetric encryption scheme. Let m, contain a content de- 
scription descri of m, and a signed ElGamal ciphertext cip(ki ) = (g r , kih r , c, z) 
of the key ki e G. Let (c,z) be a signature of (g r , kih r , descr^) with public key 
g r . Suppose a user wants to anonymously buy £ packages to, of his choice. He 
checks the Schnorr signature (c, z) of cip(ki) = ( g r , kih r , c, z) in package m* and 
stops if the signature is invalid. Otherwise, he blinds the ElGamal ciphertext 
(. g r ,kih r ) into ( g r+s ,ukih r+s ) for random s € Z q , u e G, and asks the decryp- 
tion oracle to decrypt (g r+s , ukih r+s ). As the blinded ciphertext is statistically 


19 Blind decryption of the ElGamal ciphertext ( g r , mh r ): The user picks random u € G 
and s € Z q and asks for decryption of ( g r+s , umh r+s ). He gets m from the plaintext 
um transmitted by the decryptor by multiplication with w -1 . 
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independent of ( g r ,kih r ) no information is revealed about which ki he gets. As 
the user pays for l decryptions it is important that he cannot get i + 1 keys ki . 
Security against the random one-more attack. Consider the above PIR for 
random ki G G. Clearly, t + 1 keys ki Gr G have Shannon entropy (t+ 1) log 2 q. 
But each decryption reveals no more than log 2 q bits of a plaintext in G,\G\ = q. 
Thus, l decryptions cannot reveal t + 1 statistically independent keys ki . 

Another application would be an electronic service for delivering sensitive, 
possibly unpleasant messages like court orders, summons, admonitions and so 
on. Such messages can be sent in encrypted form, given access to a decryption 
oracle that combines the decryption with an acknowledgement of the receipt 
of the decrypted message. This makes sure that a recipient can only read the 
message by acknowledging receipt. For such a service it would be important that 
the encrytion is CCA-secure, so that the receipt correctly specifies the revealed 
message. However, we also need security against the one-more decryption attack 
as users may want to decrypt several ciphertexts. Signed ElGamal encryption 
can be used for such a service. 

Security of Schnorr signatures with short hash values. Let the hash 
values of H be random in an interval [0,2 fe [c [0 .q[= Z q . The size of that 
interval enters into the proof of Theorem 1 merely at the point, where we argue 
that the case a a ^ = —cdj.k for k = 2,3,4 has probability < |. For random 
hash values c Gr [0, 2 k [ that case has probability < 2~ k . 

Consequently, in the case of Theorem 1 a CCA-attacker does not succeed 
better than with probability \ + t 2 /q + £(2~ k — |), where t is the number of 
decryptor interactions. This shows that random hash values can securely range 
over a set of ^fq values. 

Security of Schnorr Signatures in the ROM+GM. The proof of Theorem 
1 contains a security proof for Schnorr signatures in the ROM+GM: 


Corollary 1. Let A be a generic algorithm that is given g, the public signature 
key h GrG and a random hash oracle. Using t generic steps — group operations 
and hash queries — A cannot produce a Schnorr signature with a probability 
better than | + ( 2 )/g. The probability space consists of the random h,H. 


Security against the chosen message attack. Corollary 1 extends to the 
case that the adversary A has a signature oracle and can ask the oracle for 
signatures on messages of its choice. An interaction with the signature oracle is 
counted as generic step. The goal of the attack is to generate a new signature 
which is not produced by the signature oracle. The proof of the extension is 
straightforward. 

Unlike the case of Theorems 1 and 2, Corollary 1 and its extension have 
a counterpart in the ROM without assuming the GM, see Pointcheval and 
Stern [PS96]. Howewer, the security theorems and their proofs in the ROM use 
completely different arguments — the probability bounds are less tight. 
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Abstract. A common practice for signing with RSA is to first apply 
a hash function or a redundancy function to the message, add some 
padding and exponentiate the resulting padded message using the de- 
cryption exponent. This is the basis of several existing standards. 

In this paper we show how to build a secure padding scheme for signing 
arbitrarily long messages with a secure padding scheme for fixed-size 
messages. This focuses more sharply the question of finding a secure 
encoding for RSA signatures, by showing that the difficulty is not in 
handling messages of arbitrary length, but rather in finding a secure 
redundancy function for short messages, which remains an open problem. 


Key words : Signature scheme, provable security, padding scheme. 

1 Introduction 

Since the discovery of public-key cryptography by Difhe and Heilman [4] , one of 
the most important research topics has been the design of practical and provably 
secure cryptosystems. A proof of security is usually a computational reduction 
between breaking the cryptosystem and solving a well established problem such 
as factoring large integers, computing the discrete logarithm modulo a prime p 
or extracting a root modulo a composite integer. RSA [10] is based on this last 
problem. 

A common practice for signing with RSA is to first apply a hash (or a re- 
dundancy) function to the message m, add some padding and raise the padded 
message to the decryption exponent. This is the basis of numerous standards 
such as iso/iec-9796-1 [6], iso 9796-2 [7] and pkcs#1 v2.0 [8]. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 90-96, 2000. 
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Many padding schemes have been designed and many have been broken (see 
[9] for a survey). The Full Domain Hash (FDH) scheme and the Probabilistic 
Signature Scheme (PSS) [2] were among the first practical and provably secure 
signature schemes. Those schemes are provably secure in the random oracle 
model [1], in which the hash function is assumed to behave as a truly random 
function. 

However, security proofs in the random oracle model are not “real” proofs, 
and can be only considered as heuristic, since in the real world the random oracle 
is replaced by a function which can be computed by all parties. A recent result 
by Canneti, Goldreich and Halevi [3] shows that a security proof in the random 
oracle does not necessarily imply security in the “real world” . 

In this paper we do not model hash functions as random oracles nor as- 
sume the existence of collision-resistant hash-functions. Instead, we assume the 
existence of a secure deterministic padding function fj, for signing fixed-length 
message and show how to build a secure padding scheme for signing arbitrar- 
ily long messages. This focuses more sharply the question of finding a secure 
encoding for RSA signatures, by showing that the difficulty is not in handling 
messages of arbitrary length, but rather in finding a secure redundancy function 
for short messages, which remains an open problem. 

2 Definitions 

2.1 Signature Schemes 

The digital signature of a message m is a string which depends on m and on 
some secret known only to the signer, in such a way that anyone can check the 
validity of the signature. The following definitions are based on [5] . 

Definition 1 (signature scheme). A signature scheme is defined by the fol- 
lowing : 

- The key generation algorithm Generate is a probabilistic algorithm which 
given l k , outputs a pair of matching public and secret keys, { pk, sk} . 

- The signing algorithm Sign takes the message M to be signed and the secret 
key sk and returns a signature x = Sign g | < (M). The signing algorithm may be 
probabilistic. 

- The verification algorithm Verify takes a message M , a candidate signa- 
ture x' and the public key pk. It returns a bit Verify p | < (M, x'), equal to 1 if the 
signature is accepted, and 0 otherwise. We require that if x *— Sign s | < (M), then 
Verify p | < (M, x) = 1. 


2.2 Security of Signature Schemes 


The security of signature schemes was formalized in an asymptotic setting by 
Goldwasser, Micali and Rivest [5] . Here we use the definitions of [2] which provide 
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a framework for the concrete security analysis of digital signatures. Resistance 
against adaptative chosen-message attacks is considered : a forger T can dy- 
namically obtain signatures of messages of its choice and attempts to output 
a valid forgery. A valid forgery is a message/signature pair {M, x} such that 
Verifyp| < (M, x) = 1 whilst the signature of M was never requested by T. 

Definition 2. A forger T is said to (t,q s i g ,e) -break the signature scheme 
{Generate, Sign, Verify} if after at most q s i g signature queries and t processing 
time, it outputs a valid forgery with probability at least e. 

Definition 3. A signature scheme {Generate, Sign, Verify} is ( t , q s i g , e)-secure 
if there is no forger who ( t , q s i g ,e) -breaks the scheme. 


2.3 The RSA Cryptosystem 

RSA [10] is the most widely used public-key cryptosytem. It may be used to 
provide both secrecy and digital signatures. 

Definition 4 (The RSA cryptosystem). RSA is a family of trapdoor per- 
mutations. It is specified by : 

- The RSA generator TZSA, which on input l k , randomly selects 2 distinct 

k/2-bit primes p and q and computes the modulus N = p- q. It randomly picks 
an encryption exponent e and computes the corresponding decryption 

exponent d such that e ■ d = 1 mod <j>(N ). The generator returns {N, e, d}. 

- The encryption function f : h* N — > TL* N defined by f(x) = x e mod N. 

- The decryption function / -1 : TL* N — > "L* N defined by f~ 1 {y) = y^mod N . 

2.4 The Standard RSA Signature Scheme 

Let p be a padding function taking as input a message of size k + 1 bits and 
returning an integer of size k bits. We consider in figure 1 the classical RSA 
signature scheme {Generate, Sign, Verify} which signs fixed-length k + 1-bits 
messages. 

3 The New Construction 

We construct in figure 2 a new signature scheme {Generate 1 , Sign’, Verify'} using 
function p. The new construction enables to sign messages of size 2“ • (k — a) bits 
where a is comprised between 0 and k — 1 and k is the size of the modulus in bits. 
The maximum length that can be handled is then 2 fc_1 bits for a = k — 1 or a = 
k — 2. The construction can be recursively iterated to sign messages of arbitrary 
length. For bit strings mi and m 2 , we let mi||m 2 denote the concatenation of 
mi and m 2 . 

This construction preserves the resistance against adaptive chosen message 
attack of the signature scheme : 
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System parameters 
an integer k > 0 

a function n : {0, l}* -1 " 1 — > {0, l} fc 
Key generation : Generate 
{N, e, d} *- RSA(l k ) 
public key : {IV, e} 
private key : {N, d} 

Signature generation : Sign 

y <- MH 

return y d mod N 
Signature verification : Verify 

y <— x e mod N 
y' <- n(m) 

if y = y' then return 1 else return 0. 


Fig. 1 . The classical RSA scheme using function /i for signing fixed-length mes- 
sages. 


Theorem 1. If the signature scheme {Generate, Sign, Verify} is (t,q s i g ,e) se- 
cure, then the signature scheme {Generate 1 , Sign', Verify'} which signs messages 
of length 2° • (k — a) bits is (t\ q' sig , e') secure, where : 

f = t - 2° ■ q sig ■ 0{k 2 ) (1) 

q' sig = q sig - 2“+ x (2) 

e' = e (3) 

Proof. Let T' be a forger that (t 1 . e'j-breaks the signature scheme 
{Generate’, Sign’, Verify’} . We construct a forger T that (t, q s i g , e)-breaks the 
signature scheme {Generate, Sign, Verify} using P . The forger T has oracle ac- 
cess to a signer S for the signature scheme {Generate, Sign, Verify} and its goal 
is to produce a forgery for {Generate, Sign, Verify} . The forger T will answer 
the signature queries of P itself. 

The forger p is given as input {N, e} where N, e were obtained by running 
Generate. It starts running P with the public key {N,e}. 

When P asks the signature of the j-tli message to, with rrij = 
nij [ 1 ] 1 1 . . . || mj[rj], P computes : 

m-um i||mj[f]) mod N 

and requests from S the signature Sj = /i(l||aj) d mod N of the message l||a ; -, 
and returns Sj to P’ . Let q be the total number of signatures requested by P’ . 
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System parameters 
an integer k > 0 
an integer a £ [0, fc — 1] 
a function y : {0, l} k+1 —> {0, l} fc 
Key generation : Generate 7 
{N, e, d} «- RSA( l k ) 
public key : {N,e} 
private key : {N, d} 

Signature generation : Sign 7 

Split the message m into blocks of size k — a bits 
such that m = m[l]|| . . . ||m[r]. 

let a = A t (0||*ll TO [*D m °d N 

where i in 0||z||m[i] is the a-bit string representing i. 
let y <— A*(l||a) 
return y d mod N 
Verification : Verify 7 
y <— x e mod N 

let a = nM0||*||m[i]) m °diV 
let y' <- /x(l|| a) 

if y = y' then return 1 else return 0. 


Fig. 2. The new construction using function y for signing long messages. 


Eventually T' outputs a forgery {m ! , s 7 } for the signature scheme {Generate', 
Sign’, Verify'} with to 7 = m 7 [l]|| . . . ||m 7 [r 7 ], from which T computes : 


<*' = n^( 0 INI rn, [*]) mod7V 


We distinguish two cases : 

First case : a' ^ {ai, . . . , a q }. In this case T outputs the forgery {1| \a! , s 7 } 
and halts. This is a valid forgery for the signature scheme {Generate, Sign, Verify} 
since s' = /i(l||a'j d and the signature of l||a 7 was never asked to the signer S. 

Second case : a' € {cti, . . . ,a g }, so there exist c such that a' = a c . Let 
denote m = m c , a = a c and r = r c . We have : 


J^[ /x(0||z||m 7 [i]) mod iV = p(0||i||rn[i]) mod N 


(4) 


The message m! is distinct from the message m because the signature of m has 
been requested by T' whereas the signature of m! was never requested by T, 
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since m! is the message of the forgery. Consequently there exist an integer j such 
that : 

0||ilKb]^{0||l||m[l],... ) 0||r||m[r]} (5) 

0|b1|m[i]^{0||l|K[l] ) ...,0||r'|K[r']} (6) 

We assume that condition (5) is satisfied (condition (6) leads to the same result). 
In this case T asks S for the signatures x\ of the messages 0| |i| \m'[i] for i e [1, r'\ 
and i ^ j, and the signatures Xi of the messages 0||*||m[t] for i e [l,r]. Since 
from (4) : 

^(otiifKbl)-- (nM0IWI«M)(nM0||j||«^D) 

i i^j 

the forger T can compute the signature of 0| |j| Im'b'] from the other signatures : 

x 'j (IHOK modN 

i iyij 

and T finally outputs the forgery {OHjUm'b], x'j}. This is a valid forgery for the 
signature scheme {Generate, Sign, Verify} since the signature of 0| |ji | |m / b] was 
never asked from the signer S. 

We assume that /i can be computed in time linear in k, as is the case for 
most padding functions. The running time of T is then the running time of T' 
plus the time necessary for the multiplications modulo N, which is quadratic. 

□ 

Note that q s i g must me greater than 2 a+1 so that equation (2) holds. The se- 
curity reduction is tight : the probability of success of T is exactly the probability 
of success of T' . 

4 Conclusion and Further Research 

We have reduced the problem of designing a secure deterministic general-purpose 
RSA padding scheme to the problem of designing a one block secure padding 
scheme, by providing an efficient and secure tool to extend the latter into the 
former. As stated previously, this focuses more sharply the question of finding 
a secure encoding for RSA signatures, by showing that the difficulty is not in 
handling messages of arbitrary length, but rather in finding a secure redundancy 
function for short messages, which remains an open problem. 

Our construction assumes that the padding function \x takes as input mes- 
sages larger than the modulus; padding schemes such as ISO/IEC 9697-1 are 
consequently uncovered. A possible line of research could be a construction sim- 
ilar to ours, using a small (1024-bit) inner modulus and a larger (2048-bit) outer 
modulus. 
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Abstract. We consider a problem which was stated in a request for 
comments made by NIST in the FIPS97 document. The question is 
the following: Can we have a digital signature public key infrastruc- 
ture where the public (signature verification) keys cannot be abused for 
performing encryption? This may be applicable in the context of, say, 
exportable/escrow cryptography. The basic dilemma is that on the one 
hand, (1) to avoid framing by potentially misbehaving authorities we do 
not want them to ever learn the “signing keys” (e.g., Japan at some point 
declared a policy where signature keys may be required to be escrowed) , 
and on the other hand (2) if we allow separate inaccessible public signa- 
ture verification keys, these keys (based on trapdoor functions) can be 
used as “shadow public-keys,” and hence can be used to encrypt data in 
an unrecoverable manner. Any solution within the “trapdoor function” 
paradigm of Diffie and Heilman does not seem to lead to a solution which 
will simultaneously satisfy (1) and (2). 

The cryptographic community so far has paid very limited attention to 
the problem. In this work, we present the basic issues and suggest a pos- 
sible methodology and the first scheme that may be used to solve much 
of the problem. Our solution takes the following steps: (1) it develops 
the notion of a nested trapdoor which our methodology is based on, (2) 
we implement this notion based on a novel composite “double-decker” 
exponentiation technique which embeds the RSA problem within it (the 
technique may be of independent interest), (3) we analyze carefully what 
can be and what cannot be achieved regarding the open problem by NIST 
(our analysis is balanced and points out possibilities as well as impossi- 
bilities), and (4) we give a secure signature scheme within a public key 
infrastructure, wherein the published public key can be used for signa- 
ture verification only (if it is used for encryptions, then the authorities 
can decrypt the data). The security of our scheme is based on RSA. We 
then argue how the scheme’s key cannot be abused (statically) based 
on an additional assumption. We also show that further leakages and 
subliminal leakages when the scheme is in (dynamic) use are not added 
substantially beyond what is always possible by a simple adversary; we 
call this notion competitive leakage. We also demonstrate such simple 
leaking adversary. 

We hope that our initial work will stimulate further thoughts on the 
non-trivial issue of signature-only signatures. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 97-115, 2000. 
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1 Introduction 

Traditionally, implementations of efficient digital signature algorithms have been 
constructed such that the public verification keys can be made to function as en- 
cryption keys. The separation of an encryption capability from that of signature 
verification seems interesting in general, especially in the contexts of exportable 
cryptography. In fact, in any formulated policy for encryption, it seems that 
bodies like recovery agents have no legitimate need to be able to obtain the 
signing private keys of other users. But in all of the traditional systems, sign- 
ing infrastructures can immediately be used as a shadow public key encryption 
infrastructures (a notion put forth by Kilian and Leighton [KL95]). Thus, the 
natural question posed by NIST, given the needs of the US federal agencies, was: 
“How can a public-key system incorporating both privacy as well as signatures 
which does not support unrecoverable encryption be designed?” This problem 
(the “NIST problem” in the sequel) was specifically stated in detail in a request 
for comments made by NIST in a revision of the DSA FIPS [FIPS97]. It read as 
follows: 

“The Administration policy is that cryptographic keys used by Federal agen- 
cies for encryption (i.e., to protect the confidentiality of information) shall be 
recoverable through an agency or third-party process and that keys used for dig- 
ital signature (i.e., for integrity and authentication of information) shall not be 
recoverable. Agencies must be able to ensure that signature keys cannot be used 
for encryption. Any algorithms proposed for digital signature must be able to 
be implemented such that they do not support encryption unless keys used for 
encryption are distinct from those used for signature and are recoverable. ” 

Comments were received from various computer security companies. Yet 
none of the comments attempted to give a technical solution to the problem. 
The problem as stated seems quite nontrivial. It implies the existence of a pub- 
lic key scheme and infrastructure that can only be used for signatures and not 
for public key encryptions. The problem as a whole is a purely technical chal- 
lenge (the need to separate escrowed encryption from signature was noted in 
[FY95, An97]). In this paper we attempt a solution to this problem. Note that 
minimizing the abuse and direct leakage of a signature scheme will make such 
a scheme more easily exportable, and may help prevent that which almost hap- 
pened in Japan where policy makers a number of years ago attempted to escrow 
signature keys for law enforcement purposes. 

Obviously in any on-going communication system, if one allows leakage us- 
ing timing channels and other side information like correct/incorrect message 
structure (or other side subliminal channels) one cannot prevent leakage of in- 
formation, and this information can be used cryptographically (say, for key ex- 
changes). For such covert channels, no crypto at all is in fact needed, and just a 
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marking scheme (e.g. error correcting code) or a timing convention is needed. In 
fact, against such attacks, communication itself has to be halted forever, which 
is unrealistic. This is what Rivest has pointed out as the “Chaffing and Winnow- 
ing” method [R98] using authentication channels for marking. Knowing that we 
cannot eliminate covert channels, the harder question is “what can be done to 
prevent ‘direct use’ of the published signature verification key for encryption?” 
as asked by NIST. Here we also add (perhaps beyond NIST’s requirements) the 
issue of preventing (as much as possible) additional direct leakages when the 
scheme is dynamically used. We seek to eliminate leakage channels with much 
larger bandwidth (and amount of work) when compared to trivial covert chan- 
nels; we call this property “competitive leakage,” borrowing terminology from 
the field of on-line algorithms. 

The above issues together try to eliminate the added advantage for “abusers” 
resulting from the direct introduction (publishing and using) of a signature 
scheme. One has to understand what can and cannot be done in this area, 
and the answer has to be scientific and forthright. We take a first step in this 
direction by attempting to answer the publicly posed NIST problem. 

2 Analysis of the NIST Problem 

We want to prevent published keys from being abused for encryption and fur- 
ther prevent direct and easy use of a small number of published signatures for 
encryption. We note that the difficulty of completely formalizing abuse-freeness 
(especially in the context of signature schemes) has been noted in the literature 
(see Desmedt et al. [D89, BD-etal96]). We add a key registration and publication 
stage to a signature scheme, and we define a digital signature infrastructure that 
is “signature-only” as following: 

Definition 1 . A Signature- Only Digital Signature Infrastructure is a digital sig- 
nature algorithm, (which is secure against existential forgeries under adaptive 
chosen plaintext attacks [GMRi88]) with the following additional properties: 

1. Security: It is not possible for the CA’s (together with hypothetical other 
authorities) to forge a signature of any user in the system (even an existential 
forgery attack). 

2. Published Key misuse freeness: The public verification key cannot be 
used to encrypt data in an unrecoverable manner. 

3. Published Key leakage resistance: The public verification key has a very 
small subliminal channel (e.g., < 32 bits or so), and thus cannot be used to 
effectively display a complete shadow public key. 

4- Signature leakage resistance: The signatures created using the private 
signing key are shadow public key resistant. Namely, it is not possible to use 
the properties of a given signature per se, to derive a shadow public-key. In 
addition we can strengthen the requirement and demand competitive leakage: 
the number of signatures (and complexity of derivation) required to get a 
shadow public key is approximately the same as in a trivially leaking channel 
(available by the communication). 
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The first property above strengthens the traditional security and requires it 
to hold against the certification authorities (CA) which may hold extra infor- 
mation. The second property deals with abuse as required by NIST, whereas 
the other properties deal with add-on leakage of the system (compared to a non 
cryptographic system), which we have added to NIST’s original requirement. We 
note that we do not attempt to eliminate subliminal leakage, but rather try to 
minimize add-on leakage as compared to existing trivial channels. In fact, we 
will show that every on-going signing leads to trivial (unavoidable) leakage. 
Additional related work: The notion of a subliminal channel has been sug- 
gested by Gus Simmons [Si85] . A subliminal channel in a cryptosystem is a 
channel that allows a user of the system to leak information of his or her choos- 
ing through that channel. Simmons showed that information can be leaked in 
digital signatures, including DSA signatures [Si93]. It is known that in many 
operational environments, covert channels inherently exist. Within the context 
of key recovery systems, Kilian and Leighton showed that subliminal channels 
can be exploited to display unescrowed public keys within channels that exist 
in escrowed public keys, which are displayed by the CA [KL95]. They call this 
form of attack which easily adds a public key directory, shadow public key abuse. 
Abuses of cryptosystems have been discussed by Desmedt [D89]. It was origi- 
nally believed (by some) that the NSA designed DSA [DSS91] could not be used 
for public key encryption or key exchange operations. Yet it was shown how 
the DSA verification key can be used for encryption (overtly [NR94] and even 
covertly within a single signature [YY97]). Such capabilities cannot be permitted 
if one is to design a scheme solving the NIST problem. 

Methodology: In our methodology, we first discuss the security of the scheme 
(reducing from a known problem), we then show (under a new assumption) 
how the public keys in the scheme we present cannot be used as trapdoors 
in known systems in the sense that, if they are used, then the authorities are 
able to recover data encrypted with them. We then present methods that limit 
additional subliminal leakage of information. We do not employ cumbersome 
interactive techniques (e.g., the schemes in [D89, KL95]), but rather we employ 
non-interactive methods that assure that near-random choices of public param- 
eters are made (making random choices via the use of one-way hash functions 
which are regarded as random oracles- an idea rooted in the DSA parame- 
ter generation procedure). We also guarantee leakage- freeness in the signatures 
themselves by using deterministic (and pseudorandomized) signing algorithms 
rather than randomized signing algorithms. 

To claim security, we reduce the ability to forge (by the CA which holds more 
information than the signature verifying users) to the ability to break RSA as a 
one-way function (in the random oracle model). We assume RSA is a one-way 
function: 

Security Assumption: Given n G Z + s.t. n = pq where p and q are distinct 
random primes of size k, and a fixed e G Z + s.t. gcd(e,<j>(n)) = 1, and given 
a random c G Z*, finding to G Z* s.t. m e = c (mod n) is hard (i.e., for any 
polynomial it takes more than polynomial in k time, for all k large enough). 
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Naturally, we need to claim that a public key cannot be used for public key 
encryptions. Since public key information is available, we must assume or show 
the non-existence of a (probabilistic) poly-time algorithm that uses the public 
key as it was created to encrypt data without the CA being able to decrypt that 
data. This is how the notion of a “nested trapdoor” helps: on one hand the CA 
cannot sign (since the CA does not know the innermost trapdoor or otherwise 
is in violation of the security assumption), but on the other hand, the CA can 
decrypt based on the information it holds (using the middle trapdoor). 

For the outermost trapdoor, we now give the new assumption about the 
public key information that forms the basis for our proposed scheme. It is needed, 
given the state of the art of subliminal freeness in signature schemes. It basically 
states (based on the state of the art) that once the factorization of a randomly 
generated specially structured number is known (and its structure proven), it 
cannot serve as a public encryption key. More precisely: 

No- Abuse Assumption: There does not exist a secure public key encryption 
algorithm that takes n as the input public key, where n (of size k) is the product 
of two large known (to the CA only, in our case) primes p and q with p = 
Ztpiqi + 1 and q = 2 q -2 + 1, such that p\ and q-\ are secret primes, t is a small 
public safe prime, and q -2 is prime (and given e a fixed number of size polynomial 
in k, such that gcd(e, <f)((j)(ri))) = 1). 

Note that even though piqi is known (to the CA only), the encryption algo- 
rithm does not know it since it only takes n (and e) as input. Given the state 
of the art, the above assumption is mathematically plausible (its validation is 
an interesting issue, and knowing whether a weaker assumption suffices is left 
open). The plausibility of the assumption can be supported as follows: 

— The assumption’s public refutation can be done by proposing an encryption 
scheme which bypasses the above factorization knowledge (of the CA in our 
case) by using either (1) an old trapdoor, or (2) a new one. The latter, in 
fact, would be an interesting new public key suggestion. 

— If a more general version of the assumption (not restricting to the exact 
structure of n above but using generic n) does not hold, then it implies the 
existence of a shadow public key attack on any factoring based key escrow 
system where w.l.o.g. p - 1 is hard to factor. 

Main Idea: Now that we discussed the assumptions, let us describe briefly 
the main idea behind the scheme. The value <j>((f)((n)) effectively constitutes the 
private signing key of the user, is the domain in which the signatures are 

computed, and Z n is the domain in which signature verification is performed. 
Our scheme is setup such that neither <j>(n) nor <t>{(p{n)) is known to the verifier, 
and such that only knowledge of n is needed to verify. Also, we insure that (j)(n ) 
is known to the CA. Hence, any PKCS predicated on the difficulty of factoring n 
provides no security against the CA. So, in our scheme there is “double-decker” 
exponentiation. The upper most deck is known only to the signer, the middle 
deck is known to the CA and the signer, and the bottom deck is known to 
everyone. We call this a nested trapdoor construction. 
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Note that double-decker techniques based on the discrete log problem have 
been utilized before [St96, CaSt97, YY98]. However, the novel double-decker 
application we present requires the use of composites and is predicated on the 
problem of factoring. 

Remark: Naturally, any infrastructure that provides authenticity can be abused 
via leakage by criminals to permit authenticated communications which are un- 
tappable (since there are non cryptographic means to leak data). This is irrel- 
evant since the problem posted by NIST appears to deal with direct abuse of 
signatures for encryption (obviously, NIST did not overlook the possibility of 
subliminal/covert channel use and direct “key exchanges”). For instance, the 
certified signature keys can be used to conduct an authenticated key exchange. 
When criminals are given the ability to authenticate themselves then this type 
of abuse is entirely unavoidable. Hence, the property that we require is 
that criminals be forced to go outside of the provided key recov- 
ery/authentication mechanisms to conduct the untappable authen- 
ticated communications (e.g., force criminals to do a key exchange, which 
they can authenticate if they so choose). What is achieved here, in fact, is that 
under our assumptions and in our proposed system, a user cannot abuse keys 
directly, and usage of the system competitively, to conduct secure communica- 
tion. Recall that by ‘competitively’ we mean that we do not allow substantial 
increase in leakage via the keys or the signatures (requirements beyond NIST’s 
original problem). The scheme can therefore be viewed as the first unescrowed 
digital signature scheme which, as much as possible, does not defeat the purpose 
of a recoverable PKI when added to a recoverable PKI on its outset (but re- 
quires extra work from abusers). We note that in general, in the area of abusing 
escrow encryption, the malicious adversaries can always bypass the system and 
the remaining scientific challenges are to protect against more benign adversaries 
which do not invest much extra effort (e.g., they use the available keys) or when 
this bypassing is to be revealed by other means in the communication system. 

3 Re— examination of Existing Signature Schemes 

In this section we will analyze the shortcomings of various digital signature 
algorithms in light of the NIST requirement. None of the schemes were designed 
with NIST’s problem in mind, so these are not weaknesses but rather a reflection 
of the state of the art. 

RSA: We take the opportunity to look at an RSA variant which makes the 
RSA signing function a uniform trapdoor permutation via pre-hashing. In this 
system, n is the product of two large primes p and q, and e is a public value 
such that gcd(e, (p — 1 )(q — 1)) = 1. e and n are the user’s public verification 
keys, and the inverse of e mod (j>(n ) is d, the user’s private signing key. The 
signature on m is s = H(i\\m) mod n, where i is the smallest positive integer 
making H(i\\m) mod n e Z* (as in [BR93]). To verify a signature we check that 
s e mod n = H(i\\m). Clearly (e, n) can be used to encrypt data. If d, p, or q is 
given to the authorities, it follows that the authorities (CA) can forge signatures. 
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This applies to Rabin [Ra 78 ] and every factoring based scheme, including Esign 
where n = p 2 q. 

ElGamal and Relatives: In ElGamal [E 1 G 85 ], the public key is y = g x mod p, 
where x is the private signing key. Here g is a public generator modulo the 
public prime p. If the private key x is not given to the authorities, y can be 
used for encryption (e.g., the ElGamal encryption scheme). If x is given to the 
authorities, obviously they can forge signatures. The same holds for DSA, Elliptic 
Curve DSA, Schnorr, undeniable signatures, Nyberg and Rueppel, etc. 
Fiat-Shamir: In Fiat-Shamir, n is the product of two primes and none of the 
users know the factorization of n. To generate a public key, a user generates k 
different quadratic residues Vi, V2,---,Vk modulo n. This vector is the public key. 
The scheme therefore succumbs to the following shadow public key attack. The 
user chooses a random x and squares it to get v±. Let g = v i be a generator of 
hopefully a large subgroup containing all quadratic residues in Z*. To generate 
V2, a malicious user chooses w at random and sets V2 = g 2w mod n. Thus, Vi 
and i>2 are quadratic residues, and constitute a shadow public key for generalized 
ElGamal mod n. The shadow private key is 2 w. (Even, if we only have i>2, v\ 
can be derived from n and the user’s name, or be a constant) 

Okamoto ’ 92 : To date, no large subliminal channel in this scheme is known. 
Recall that in this scheme, the verification key is v = gi~ Sl g2^ S2 mod p. Here 
gi and (j2 have order q modulo the public prime p. The values for <q, g-2, and 
q are public. The private key is (si,S2)- Both si and S2 are chosen randomly 
modulo q. Okamoto is based on the representation problem modulo p (and so 
are fail-stop signatures). 

To sign a message m in Okamoto, we choose rq, r2 Gr Z q . We then compute 
e = H(gi ri g2 r2 mod p, m). Here H is a one-way hash function. We then compute 
2/1=0+ esq mod q and 2/2 = 0 + esq mod q. The signature on to is the triple 
(e, 2/1, 3/2)- To verify the signature we check that e = H (gy 11 (j2 V2 v e mod p,m). 

At first sight it seems as if the scheme is a good candidate for a solution. For, 
suppose that we don’t give to the authorities si and sq. Then the authorities 
can’t forge signatures. But, then we need to insure that v cannot be used as 
a shadow public key. Suppose that v can be used as a public key in a public 
key encryption algorithm. Since Okamoto is extendible to three or more bases, 
maybe there is no encryption algorithm if the representation uses three bases, 
or four bases, etc. This line of reasoning begs the question as to whether or not 
there exists a ‘generalized Okamoto’ public key encryption algorithm. 

We will now answer this question in the affirmative. Indeed, there is a public 
key algorithm that uses public keys based on the representation problem with 
any number of bases. We will demonstrate this algorithm where two bases are 
used. To public key encrypt a message to using v as in Okamoto’s scheme, we 
do the following: 

1 . k Gr Z q , a = g\ mod p, b = v k mod p, c = g^m mod p 

2 . The ciphertext of to is (a, b, c) 
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To decrypt we compute: 

1 . a' = a~ Sl mod p which equals gi~ Slk mod p 

2. b' = b/ a' mod p which equals g 2 ~ S2k mod p 

3. m = c/(b '~ s 2 ) mod p 

This algorithm can be easily extended to handle representations using more 
bases. The ciphertext is an (m+l)-tuple if m bases are used in the representation 
of v. Thus, this scheme and it’s extentions using more bases does not meet the 
requirements. 

Naor Yung signature scheme: A digital signature algorithm (which is pre- 
sented as an important plausibility result, not as an efficient scheme) was pre- 
sented in [NY89] that is based on the existence of one-way permutations (Rompel 
uses this exact setting but with any one-way function). The system is provably 
secure against adaptive chosen message attacks. It operates by having each user 
publish a row of windows, where each window is a pair of values that form 
commitments of the user via a one-way permutation value. Since the scheme 
(and its follow up work) is not based on trapdoor functions it departs from the 
Difhe-Hellman paradigm. Does this mean it is shadow public key resistant? No, 
the problem is that even though the system itself does not employ a trapdoor 
function, it could display one subliminally assuming trapdoor functions exist. 
The problem is that each window can leak several (say, 20) subliminal bits, thus 
allowing the system to directly leak a shadow public key (e.g., an RSA public 
key which is not held by the authorities). 

4 The Signature Scheme 

In this section we describe our construction which is a first answer to the NIST 
problem. We present the scheme and the user registration procedure. 


4.1 Key Generation 

Let e be an odd value (fixed and bounded as discussed below). Let M be a 
security parameter (which is say, a power of 2). Let p\ and qi be M/2 bit 
primes. Let q = 2q 2 + 1 be a safe prime. These primes adhere to the following 
constraints for proper system operation: 

1. Each of pi — 1, qi — 1, and q 2 - I have a large prime in their factorization. 

2. gcd(e, (pi - l)(gi - 1 ){q 2 - 1)) = 1. 

3. There exists an Mi-bit (e.g., Mi = 63) safe prime t s.t. p = 2tpiqi + 1 is 
prime 1 and s.t. gcd(e, <f{t)) = 1. 

1 An alternate implementation chooses ( q — l)/2 to have the same form as (p — l)/2, 
but ( q — 1) /2 has a different factorization. 
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If we want \pq\ to be a power of 2, we can choose q to be M — Mi — 1 bits long. 
We incorporate t into p I to make key generation fast. To provide protection 
against shadow public key abuse (see [KL95] for the attack on composites), the 
following additional constraints are needed to reduce subliminal leakage: 

1. s and s' are chosen (randomly). 

2. Hi(s) (or (,s) + 1, see below) is the same as the upper half of the bits in 
the bit representation of piqi- 

3. q is chosen by computing q = H(s' ) and testing for primality and strong pri- 
mality (more elaborate methods are possible, e.g., the method for generating 
parameters for DSA). 

To accomplish step 2, an algorithm similar to [L98, YY96] can be employed. 
Thus, either Hi (s) is the upper order bits, or Hi (s) + 1 is the upper order bits 
due to a borrow bit being taken. Here Hi and H are suitable (ideal) one-way 
hash functions. This step is to avoid the leakage of M/2 bits in the composite 
Piqi . The values p,q, and t are found to satisfy the above. The key generation 
algorithm then performs the following computations: 

1. ni = 2tpiqiq 2 

2. Compute the smallest value s" that makes g’ = H 2 (s, s',s",n) a genera- 

tor mod p , g" = H:i(s. s', s" , n) a generator mod q, and gcd(xj,ni) = 1, 
where x, = h i (s,s',s",n,i ) for i = 1 ( K odd), and H 2 ,H^,hj, being 

appropriate ideal hash functions. We insist that s" is, say, at most 24 bits 
in length. 

3. Chinese remainder g = g' mod p with g = g" mod q to get g mod pq (g then 
has order A (pq)). 

4. n = pq 

5. Compute gi = g Xi mod n for i = 1, ..., K 

6. d = e -1 mod <j>{(j){n)) (We will use (j> 2 to denote <f>((j)()).) 

7. Compute T to be a NIZK proof of knowledge of the factorization of (p—l)/2t 
into two distinct primes (in the random oracle model). A modification of 
the techniques of [GHY89] and [BFL91] enables this (the short proof of 
[PS00] may apply as well). T can also be an interactive ZK proof if we allow 
interaction. 

Note that n i = A(n) is the Carmichael function A of n. The public verification 
key is (g, gi, ..., gx, e, n). The private signing key of the user is (xi,x 2 ,...,xk, 
d,ni). To register the public verification key with the CA, the user sends to the 
CA the tuple (s, s', s" ,p, q, t, e, T). The value for s" must be sent, to assure the 
CA with very high probability that g' generates Z p . In practice n is about twice 
the size of a regular RSA modulus. 

It is obviously imperative that the g, g^s and n, when taken together, cannot 
easily allow n to be factored. Otherwise, the composite A (n) would be available 
to all users and could be used as a shadow public key. Since random g, g,'s are 
samplable, the following fact holds: 

Fact 1 The values for the g, gi ’s and n, when taken together, cannot he used to 
factor n. 
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4.2 CA Registration 

The CA receives ( s,s',s",p,q,t,e,T ). The CA computes rq to be (p — l)/2f. 
The CA then sets z to be the upper half of the bit representation of vi . The CA 
computes n, g\ g", g, and the gi s in the same way as the user. The CA verifies 
all of the following things: 

1. p is prime, t is prime, t \ p— l,|p — r/j is large, g" generates Z q , etc. 

2. Hi(s) or Hi(s) + 1 equals 2 . 

3. ± i mo d p . 

4. checks that T is valid. 

T convinces the CA that the user knows the signing private key. T and 
step 1 proves that there are 16 possible orders for g’ . T and step 3 proves that 
ordp(g') e {2tpi,2tqi,2tpiqi}, i.e., it can be only 3 of those 16. Recall that if 
p is prime and w \ p — 1, then the number of least residues mod p with order 
w is <(>{ w). Since g' is chosen by an oracle, it has order 2tp\ with probability 
(t — l)(pi — 1 )/p, which is guaranteed to be negligible since tq must be made 
difficult to factor. By making p large enough, this quantity is still negligible even 
after a polynomial number of oracle queries by a cheating prover. The same 
holds for 2tqi. So, the order of g' mod p is 2tpiqi with overwhelming probability. 
Anyway, recently an efficient method to prove in ZK that a number is maximal 
order was shown [JY00]. Clearly g has order A (n) if g' and g" are generators. 
Similarly, the CA verifies that the order of g^s (for i = 1. ....K) are the same as 
the order of g (i.e., that gcd(x,,ni) = 1). 

If all of the verifications pass then the CA publishes (and certifies) the string 
(g, gi , ..., gx, e, n) as the user’s public verification key. 

4.3 Signing and Verifying Messages 

Let a\\b denote the concatenation of string a with string b, let hi ’s be ideal full 
domain hash functions into {1, 3, 5, ..., (n + l)/2 — 1} (a random oracle answer 
concatenated with a 1 as the least significant bit). To sign an arbitrary message 
m, the user computes c = (xihi(j\\m) + X 2 h 2 (j\\m) + ... + XKhk{j\\m)) d mod m, 
where j > 0 is the smallest integer making all hj (j\\ rn) mod ri\ £ Z* n (as 
required by the full domain hash method [BR93], and will be 1 almost always, 
thus for brevity we omit the notation j||rn and use m instead). The signature on 
m is c. Note that the signer can use the Chinese Remaindering method to make 
signing faster. The verifier checks that: 


1. c<n/2 

2- g * g 2 h2 ^ * ... * g K hx ( m ) ( mod n ) = g c ° ( mod n) 

If (1) and (2) are not satisfied then the signature is rejected. To substantiate 
verification (1), we need to show that A (n) < n/2 for all properly chosen n’s. 
This can be seen from the following. 
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A (n) = lcm(p — 1,5 — 1) = lcm(2tpiqi, 252 ) = 2tpiqiq 2 
n/2 = (l/2)(4fpi5i52 + 2 fpi 5 i + 2q 2 + 1) > 2tpiqiq 2 

So, the claim holds. The reason we insist on making signatures less than n/2 
is to avoid subliminal leakage of information in signatures. Below we elaborate 
more on this. 

Note that since e > 2 the only way to verify the signature is to determine 
g c mod n by exponentiating e times: 

(( g c mod n) c mod n) c ... mod n 

This is necessary because the modulus in the exponent is unknown to the 
verifier, thus the verifier cannot first compute c e mod n± and then use this as 
the exponent for g. Note that signing is done in the upper most deck with the 
signature value in the middle-deck, and verification is performed in the bottom 
deck. The system therefore utilizes composite-based double-decker exponentia- 
tion. For efficiency we assume e to be small (theoretically, e which is polynomial 
in the size of n is still feasible). 

Proposition 2. Signature verification is complete (i.e., properly generated keys 
and signatures will always verify). 

Proof. If n is generated properly, then verification (1) will always pass. Now 
consider verification (2). One can verify that c e = xihi(m) + x 2 h 2 (m) + ... + 
xahufm) mod A (n). Since g and the gfs have order A(n), by the construction 
of the gfs the claim is proved. □ 

5 Security Against Forgeries: Validation Proof 

Recall that the user sends to the CA the tuple ( s,s',s",p,q,t,e,T ). We need 
to show that given this information, and given a polynomial number of mes- 
sage/signature pairs, it is not possible for the CA to forge messages (i.e., that 
the CA can’t choose messages and sign them, or even produce existential forg- 
eries). We will do this in two steps. First we will show that the tuple that is given 
to the CA during certification does not help the CA forge, then we will show 
that a slight modification of our system is identical in security to RSA, and that 
this modification implies that our scheme is also secure. We will then show even 
further that in the random oracle model, our system is secure against adaptive 
chosen message attacks (we are aware of the advantages of having such proofs, 
e.g. [BR93], as well as the existence of limitations for certain implementation 
constructs which are not applied here [CGH98]). 

Note that the CA knows A(n), since A(n) = ni = (l/2)(p — l)(g — 1). The 
CA does not know 0(0(n)), since the CA doesn’t know the factorization of p\ q\ . 
We need to show that no information about the factorization of piqi is leaked 
to the CA by ( s,s’,s",p,q,t,e,T ), excluding deliberate leakage (i.e., assuming 
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honest user). First, nothing is leaked by T since this is a zero-knowledge proof. 
Also, t need not even be sent by the user, since it can be found easily by the CA. 
The seeds s, s', and s" contribute the information constituting the upper order 
bits ofpiQi, the prime q, and the generators g', g", and the exponents bringing 
g to gi where i = 1 , ..., K, and nothing else, since they constitute the preimages 
under the random oracle hash functions H\, H2, and H3, and h- l . ..., h K . To see 
this, note that under the random oracle assumption, each hash value is chosen 
uniformly at random from its respective set, and the result is therefore inde- 
pendent (as viewed by all poly-time algorithms) of the random hash function’s 
input. It follows that the only information leaked by s, s', and s" is the upper 
order bits of p\q\ (which is already known to the CA from p), and also q, g', g", 
g, and <71, ...,gK- If we can show that no information about the factorization of 
Piqi is leaked by g' then we will be done. 

Suppose that given a generator g’ of Z p , and given p, an oracle A can be used 
to factor p— 1 , where p is prime. In other words, A(g',p) outputs the factorization 
of p — 1 . Then A can be used to factor any composite n as follows. Choose a 
prime k randomly s.t. 2 kn+ 1 is a prime number p'. Choose a value h E r Z p > and 
run A(h,p'). If A fails, choose (k, h) over and repeat. Since there are <p('p' — 1 ) 
generators of Z p *, we expect to factor n with probability </(p' — l)/(p' — 1 ) each 
time we invoke A. Thus, p —1 will be factored in expected poly-time. We have 
shown via random reduction that factoring n is no harder than implementing 
the oracle A. So, implementing the oracle A which uses g' and p to factor p —1 
is no easier than factoring n. Since g’ is chosen (accessed) almost randomly , it 
follows that g’ contributes in no way to the CA’s ability to factor (p — l)/ 2 t. 
Thus, we have shown that: 

Lemma 3. No information about the factorization ofpiqi (and hence <j> 2 (n)) is 
leaked to the CA by ( s,s',s",p,q,t,e,T ). 

To forge, the CA need not necessarily output a c satisfying c < A(n), since the 
users who will perform verifications do not know A (n) = n±. The CA therefore 
needs only to output a c < n/2 s.t. g x i h A m )+ x * h A™)+-+ x Kh K (m) ( mo( i n ) _ 
g c ( mod n) to forge, since users can be certain that c must be less than n/2. 
But, if the CA knows a valid c > n±, then the CA knows a valid signature in 
the correct range, since c mod n\ < n\. Thus, a CA can output an acceptable 
forgery implies that it knows a forgery in the correct range. The following proves 
that forgeries are possible in our system by the CA iff the CA can break RSA. 

Theorem 4. The CA can forge signatures of users in our system (without hash- 
ing) using exponent e iff the CA can forge signatures in the RSA scheme (without 
hashing) using exponent e. 

Proof. Let n = pq, and let e be a small number s.t. gcd(e, (/(0(n))) = 1 . Fur- 
thermore, let f be a safe prime, and let p = 2 tpi q\ + 1 , q = 2 <72 + 1 , and <72 
be prime. Suppose that the CA has an oracle A e that uses an exponent e such 
that when given (n, m) produces c < n/2 s.t. g x ^ m + -+ x Km m0( 7 n = g c mo d n . 
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In other words, c = A e (n,m) < n / 2 is a valid signature on m in our algo- 
rithm (without hashing), hence the CA can forge signatures in our system. Let 
n' be an RSA modulus, i.e., n' = 7/3 <7.3 where 773 and (73 are prime. Let the 
RSA exponent be the same e as in our scheme. Thus, gcd(e, <j>(n')) = 1 . Let 
d! be s.t. ed! + w(j)(n') = 1 for some integer w. The CA can use A e to forge 
RSA signatures for the public key (e, n') by choosing a small safe prime t ran- 
domly s.t. 7/ = 2 tn' + 1 is prime, and by choosing a random safe prime q’ 
where q' = 2 q" + 1 . The CA makes sure that gcd(e, <j>(t)(j)(q'')) = 1 . Let d" 
be s.t. ed" = 1 mod 4 >{ 2 tpzqaqf')- To forge an RSA signature, the CA chooses 
r -^(pV) an d computes d = r~ 1 A e (p , q , ,r e m/( x\ + ... + xk)) mod 2 tn'q". 
It follows that d = m d mod 2 tn'q" . The CA then sets c = d mod n! . 

d = m d + k 2 tp^qsq" for some integer k 
c= d mod 773173 = m d mod x (P 3 i 3 ') mod 7)3(73 

But, d" mod A (773 <73) is the inverse of e modulo A (773 <73). To see this note that, 
ed" + v\{ 2 tpsqsq") = 1 for some integer v 

But, A (773(73) | A(2fp 3 <73<7"). So, e(d" mod A(p3g 3 )) = 1 mod A(p3^ 3 ). Thus, c 
is a valid signature on m in RSA mod 7)3(73. 

Conversely, suppose that the CA can forge signatures in the RSA scheme 
using the exponent e. So, assume that the CA has an oracle B e that uses e, a 
composite of two different primes ni and a message m, that produces a valid RSA 
signature c mod n 1 on m. That is, c = B e (m,m) is a valid RSA signature on m. A 
CA knowing the composite 7)1(71 and the prime <72 of a user can use B e as an oracle 
to forge in our system as follows. The CA computes d = B e {jp\q\,r e m{x\ + ... + 
xk))/^ mod piqi where r is chosen randomly from its respective message space, 
and computes d' = (m(x 1 + ... + xk)Y mod 2 tq 2 - Note that it was verified 
by the CA that gcd(e, <j>(t)) = 1 , p = 2 tp±qi + 1 is prime, and that q = 2 q% + 1 
is a safe prime. The CA Chinese remainders d mod piqi with d' mod 2 tq -2 to 
produce c mod 2tp\qiq2- □ 

Note that the above proof constitutes a randomized reduction where if oracle 
A e exists, then we show the existence of only one other oracle, namely oracle 
B e , and vice-versa (i.e., existence of A e does not necessarily imply the existence 
of B e i for all d). However, we need only assume that every oracle succeeds on a 
fixed fraction of the message space. Thus, our system is no more or less secure 
than RSA. Since the above holds for the CA, clearly the same holds for all of 
the users in the system, who have access to even less information than the CA. 

We will now prove that our signature scheme is secure against adaptive chosen 
message attacks under the random oracle model, assuming that RSA is secure. 
Since t and (72 are known to the CA, the CA can always compute the partial 
signature ci = ( x\h\{m ) + x-ih^m) + ... + XKhK{m)) e mod WiA mo d 2 tq^ 
on a message m. Therefore, when the user sends the CA a signature c on mes- 
sage to, the user can send the signatures ci and C2 = {x\h\{m) + X2h2(m) + 
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... + XKhK{m) e 1 mod a (p i « 1 ) mod p^qi instead, since the CA can just Chinese 
Remainder c\ and C2 to get c. For the purposes of this proof, we will assume 
a digital signature scheme in which everyone knows p, q, t, g', g", and the 
gf s and in which the two signatures (01,02) constitute the actual signature 
on m. The generation and verification of c\ is straightforward, and the gen- 
eration and verification of C2 is as in RSA with hashing. Though it is impor- 
tant to note that this proof holds for the specific full domain hash function 
Hash(m ) = x\h\{m) + ^^(m) + ... + xahaim). Now, since the basic hi are 
random oracles over their domain (of odd numbers), and adding mod ni assures 
that we stay within the domain (provided K is odd), we can use Hash as an 
ideal (random oracle) hash function (over a certain domain), and the arguments 
of the security of the full domain hash hold. 

Theorem 5. Assuming the random oracle assumption holds on the hi ’s, and 
assuming that our security assumption holds (i.e., RSA being a one-way func- 
tion), the signatures C2 are secure against adaptive chosen message attacks with 
respect to the CA. 

Proof. We apply the Full-Domain Hash analyzed in [BR 93 , COO] based on a 
random oracle over a sub-domain of Z* t = Z) tpiqiq2 (explained below), and get 
a full domain hash Hash , which takes messages m and gives a random element 
from that full domain. Clearly, c\ provides no assurance that m is authentic, 
since c\ can be produced by anyone with the CA’s knowledge. It follows that our 
digital signature scheme is secure against adaptive chosen message attacks iff the 
key generation algorithm for C2, the signing algorithm for C2, and the verification 
algorithm for C2 is secure against adaptive chosen message attacks. It was shown 
in [BR 93 , COO] that indeed these algorithms (using a full-domain hash) are secure 
against adaptive chosen message attacks. Now, using the Chinese Remainder 
Theorem, C2 = ( xihi(m)+X2h2(m) + ...+XKhK(m)) e modpiqi In the security 
proof the value of C2 before the exponentiation (namely, Xj hi (to) + £2/12 (m) + 
... + x Khaim) is in fact assumed to be chosen by a random oracle drawing 
elements from Z* iqi , which is the domain over which we want to prove security. 
This can be assumed due to the 1-1 mapping between the elements assured to 
be (almost always) in Z* x and the set of their remainders: Ci,C2- Furthermore, 
due to the random oracle assumption which gives us a degree of freedom in 
fixing polynomially many values (of C2) in the attack protocol, when arguing 
about a value, we can always solve for the randomly chosen C2 element of our 
choice (by “playing” with the actual value of one of the basic hash values hi) 
and then, in the simulation, having a desired challenged value or probed element 
to be a random element of our choice in Z* iqi (which we already know the 
result of applying the exponentiation to). By doing so we determined C\ with an 
arbitrary value, due to the algebraic relation. Under the above proper random 
oracle assumption, we can turn the signature values (02) into desired (random) 
challenges whose inverses are actually accessible anyway (by our choice), and 
then “chosen plaintext” which is the input to the RSA operation is reduced 
to a “random plaintext” attack on the RSA operation (namely, it reduces the 
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adaptively chosen plaintext forgery attack to the security of RSA as a one-way 
function into the domain of the C 2 elements). The full domain hash assumption 
enables us to argue that the “altered random oracle” (which is modified in only a 
few polynomially-many places) is statistically indistinguishable from the original 
one. A more sophisticated oracle answering strategy is in [COO] . □ 

6 Arguing Published Key Abuse Freeness 

To show the resistance of (g,gi, ...,gK,e, n) to abuses, it is necessary to show 
two things: 

1. Key misuse freeness: the values in { g , gi , ..., g K , e, n} cannot be used directly 

as a shadow public key in any PKCS. 

2. Key leakage resistance: the information in ( g , gi, ..., gx, e, n) cannot display 

enough subliminal bits to constitute a secure shadow public key. 

To show (1), first notice that we claim that n cannot be used for unrecover- 
able RSA/factoring-based encryptions using n as the composite modulus, simply 
because the CA knows the factorization of n. From the No- Abuse assumption 
there is no other way to exploit n (here is where we strongly employ this as- 
sumption). 

Next observe that the way g is generated, makes it random maximal order 
element. Assuming discrete logarithm is a hard problem on random instances, 
even when the factorization is known (this is a regular discrete log assumption), 
will prevent the user from using it as a base for a public key. As for gf s, the 
CA is aware of the same information about them as the user does. Finally, since 
small enough e can be fixed among all the users, it cannot be or contribute to a 
shadow public key. 

We will now observe a simple yet strong result which proves about the system 
containing (n, e) the following: which uses a fixed e (without the g and the gi s): 

Theorem 6. If there exists a shadow public key attack on pq where pq “is” the 
shadow public key then there exists a shadow public key attack on any composite 
pq based key escrow system where the user chooses p and q at the users own 
discretion and where p (or q) is escrowed. 

This directly follows from the fact that what is published in this modified 
system is exactly what is published in any composite pq based key escrow system 
(where users can choose the form of, w.l.o.g., p — 1). 

Next we argue (2), namely that there is no key leakage (based on the current 
state of the art). We need to show that there is no subliminal channel in n of 
significant bandwidth. Recall that A (n) has piqi and q -2 in its factorization. The 
value Piqi was generated in such a way as to minimize subliminal channels in 
it. This was done by making its upper order bits a one-way hash (behaving like 
a random oracle) of a random number s, and is precisely the method used to 
foil high bandwidth shadow public key attacks in RSA moduli (by filling the 
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subliminal channel). By forming piqi in this way, there can only be a small 
(logarithmic length) subliminal channel in piqi (we may also insist that the 
values chosen via the one way function have a fixed number of bits) . Similarly, 
<72 can only have a similarly small subliminal channel since it is chosen by a 
random oracle. Since t is a small odd value, it provides no significant subliminal 
channel either. It follows that A (n) is mostly random and has no substantial 
subliminal channel, so neither does n (which is built from it in a given format). 

Now consider g. The value g is computed based on g' and g" . But, g' is chosen 
by a random oracle whose input are the values s, s', n, and si. So, g' has no 
substantial subliminal channel. We make s, s', and n inputs to a random oracle 
and increment s" from zero to find g' as a precautionary measure to limit the 
amount of subliminal leakage in g. This precaution works because s" is small, and 
thus a malicious user is forced to regenerate n if the user fails to leak enough 
information in g by the time Si reaches its maximum allowable value. Thus, 
the key generation time is inhibited when key generation is modified to leak 
subliminal information via g. The same argument applies to g" , so g is mostly 
random and has no substantial subliminal channel. In fact, g is effectively chosen 
almost uniformly at random (by a random oracle). Furthermore g, is chosen via 
Xi and g, and x, is formed from the same information (under a different random 
oracle) as g' and g". We note that using one-way hashing to generate trap-door 
free parameters was first proposed by NIST with respect to DSA. This concludes 
the arguments suggesting that (g, g\, ..., <//<-, e, n) does not leak enough subliminal 
information. In practice it may be possible to leak on the order of 0(log log(n)) 
bits or so if an attacker works hard (searching for a pattern), but again, we 
are protecting only in the relative sense: it may be that so little amount of 
information can be subliminally sent outside the cryptographic system. 

7 Arguing Signature Leakage Resistance 

Can a single signature leak information? Clearly, if there were a way to output 
more than one signature for a given m, it may be possible to leak bits of sub- 
liminal information. So, we would like to show that for each message to, with 
overwhelming probability there is only one valid signature c on to. Then, since 
the signing algorithm is deterministic, we will be well on our way to showing 
that our signatures are leakage resistant from this aspect. 

Proposition 7. With overwhelming probability, it is not possible to find an m 
s.t. c,d < n/2 will both be accepted as valid signatures on to. 

Proof. From signature verification it is clear that all the valid signatures on to 
are specified by 

Cj = j\(n) + (xi/u(m) + ... + XKhK(m)) d mod A(n)) < n/2, for j > 0 


Clearly Co will always be a valid signature. If hj is a random oracle, then for 
each to, the probability that Cj is a valid signature is negligible if j > 1. We will 
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prove this by first proving that it holds for j = 1 , and the fact that it holds for 
all j > 1 will be immediate. Note that if j = 1 then c 3 is a valid signature iff 
(xihi(m) + ... + XKh,K(m)) d mod \(n)) < n/2— A(n) = tpiqi + q 2 + l/2 Since the 
hj ’ s are random oracles, then (x\h\(m) + ... + a ’KhK(m)) d mod A (n) is chosen 
randomly from Z*( n ), independent of m. Thus, (x\h\{m) + ... + XKhK(m)) d 
mod A (n) < n/2 — A(n) with probability (tpiqi + q^ + l/2)/(2tp\qiq2), which is 
negligible. □ 

Next, we analyze the leakage of a sequence of signatures, which we want 
to show to be competitive, namely that there are trivial channels in the usage 
of signatures that allow the leakage of a public key. Next we present a leakage 
design, based on ordering of signatures only (and not assuming further timing, 
errors or error correcting based leakage). This shows that in on-going usage there 
are plenty of opportunities to leak information (which is expected). 

Universal attack: this attack works as follows. The user encodes the shadow 
public key 15 bits at a time, by successively taking 8 unique signatures at a 
time, and ordering them in a specific way in the post to the bulletin board, say 
(assuming that scheduling the signatures has this degree of freedom). There are 
8! ways to order the signatures (which are distinguished and ordered by their 
numeric value), so 15 bits can be encoded. This allows us to encode efficiently. 
For example in 168 signatures we can encode a 314 bit shadow public key (e.g. 
based on an elliptic curve over GF(2 157 )). This is a “non-cryptographic leakage” 
which is trivial (and with additional covert information and better encoding we 
can do with much fewer signatures). 

What leakage can we produce in our system? We can, for example leak A (n) 
over the course of using the signature system, exploiting the structure of our 
system. In fact, it works as following: When signing a message m; we produce 
signature Cj. the attacker gets information (over the integers) of the form (c,) e = 
x\h\(m) + ... +XKhK(m)+ri\(n ) where the x/ s are fixed and unknown and the 
unknown last (free) term (rjA(n)) a multiple of A(n) (r, is associated with c,). 
The fixed unknown afys can be eliminated from the expressions as additional 
signatures are added, after K + 1 equations, we are left with a large integer 
representing a multiple of A(n), which can then be used as a public key (and if 
the process is continued we can get smaller multiples via gcd’s and get to isolate 
A(n)). This type of leakage was pointed first by Bleichenbacher. Notice that by 
choosing K large enough and choosing e large enough we force the attacker to 
collect a large enough number of signatures and to work over large integers, thus 
leakage in the scheme more competitive. 

There is an obvious tradeoff between efficiency and the competitive factor 
of this specific leakage scheme. Small K gives a signature whose signing is as 
expensive as RSA (of double the size) and whose verification takes e + K expo- 
nentiations (we implemented the scheme for small values). Finally, we remark 
that naturally, other leakages may still exist and their presence is an open prob- 
lem. It is very hard to quantify leakage of this form, and it may be that moderate 
complexity measures are enough since we deal with prevention in light of existing 
trivial channels (achieving “competitive leakage”). 
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8 Conclusion 

In reaction to NIST’s problem, we have presented a framework and an imple- 
mentation for a digital signature PKI where the public verification keys cannot 
be abused safely for encryption. We proved its security, argued its no-abuse prop- 
erty, and further argued concretely, based on the sate of the art, why the leakage 
with on-going use is competitive (compared with universally available means of 
leakage, which we also pointed out). Numerous issues remain to be investigated 
like the validation of our no-abuse assumption, whether our assumptions are 
necessary, and whether or not weaker assumptions can be used. We employed 
the random oracle proof methodology numerous times regardless of its possible 
weaknesses. A question one might ask is whether or not there are solutions which 
do not employ random oracles, yet are efficient, etc. (there may exist a situa- 
tion where a random oracle is used for arguing that some elements are chosen 
almost at random, but where standard complexity-theoretic proofs are used for 
the security argument). The notion of “non- leakage” (or reduced leakage) and 
its reduction and implementation is another unexplored area: formalization and 
characterization of the issues, notions, and solutions in the area are left open. 
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Abstract. We improve the Bellare-Miner (Crypto ’99) construction of 
signature schemes with forward security in the random oracle model. Our 
scheme has significantly shorter keys and is, therefore, more practical. 
By using a direct proof technique not used for forward-secure schemes 
before, we are able to provide better security bounds for the original 
construction as well as for our scheme. 

Bellare and Miner also presented a method for constructing such schemes 
without the use of the random oracle. We conclude by proposing an im- 
provement to their method and an additional, new method for accom- 
plishing this. 

Keywords: forward security, digital signatures, proven security, concrete 
security. 


1 Introduction 

1.1 The Problem 

Many cryptographic techniques today, whether only available in the literature or 
actually used in practice, are believed to be quite secure. Several, in fact, can be 
proven secure (with appropriate definitions) under very reasonable assumptions. 
In a vast majority of solutions, however, security guarantees last only as long as 
secrets remain unrevealed. If a secret is revealed (either accidentally or via an 
attack), security is often compromised not only for subsequent uses of the secret, 
but also for prior ones. For example, if a secret signing key becomes known to 
an adversary, one cannot trust any signature produced with that key, regardless 
of when; if a secret decryption key becomes known to an adversary, then any 
encrypted message, even if sent long before, is not guaranteed to remain private. 

To address this problem, several different approaches have been suggested. 
Many attempt to lower the chance of exposure of secrets by distributing them 
across several systems, usually via secret sharing. As pointed out in [3], this 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 116-129, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 



A New Forward-Secure Digital Signature Scheme 117 


method is usually quite costly, and may, in fact, be too expensive to be imple- 
mented by a typical individual user. Moreover, since each of the systems may be 
susceptible to the same attack, the actual risk may not decrease. 

A complementary approach is to reduce the potential damage in case secrets 
are exposed. In what is often called forward security , the main idea is to ensure 
that secrets are used only for short time periods, and that compromise of a secret 
does not affect anything based on secrets from prior time periods. One of the 
challenges in designing such a system is to be able to change secret information 
without the inconvenience of changing public information, such as the public 
key. 

This approach has been known in the context of key agreement as forward 
secrecy [14,8]. In the context of digital signatures, it was first proposed, together 
with a few simple solutions, by Anderson in [2]. Bellare and Miner formalized 
Anderson’s approach and provided more solutions in [3] 

The specific problem addressed in this paper is that of designing a forward- 
secure signature scheme. 


1.2 Forward-Secure Signature Schemes 

Informally, a key-evolving signature scheme is one whose operation is divided into 
time periods, with a different secret key for each time period. Each secret key 
is used to sign messages only during a particular time-period, and to compute a 
new secret key at the end of that time period. It is then erased. As in ordinary 
signature schemes, however, there is only one public key, which remains the same 
through all the time periods. The verification algorithm checks not only that a 
signature is valid, but also that it was generated during a specific time period. 

Such a scheme is forward- secure if it is infeasible for an adaptive chosen- 
message adversary to forge signatures for past time periods, even if it discovers 
the secret key for the current time period. Note that, in particular, this implies 
that past secret keys cannot be recovered from the current one. In a forward- 
secure signature scheme, even if the current secret key is compromised, signatures 
from past time periods can still be trusted. 

Anderson [2] proposed a construction of forward-secure signature schemes in 
which the size of secret key (but not the public key) grows linearly with the 
number of time periods. The first forward-secure signature schemes in which key 
sizes do not grow linearly were proposed by Bellare and Miner in [3]. Their most 
efficient scheme, forward-secure in the random oracle model of [4] (assuming 
factoring is hard), uses ideas from the Fiat-Shamir [10] and Ong-Schnorr [16] 
identification and signature schemes. 

As mentioned in [3], although still practical, their scheme requires very large 
keys, mainly because the original Fiat-Shamir scheme required very large keys 
(in fact, the forward-secure scheme of [3] does not add much to the already large 
key). 
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1.3 Our Contributions 

Main result. We propose a new forward-secure digital signature scheme, with 
much shorter keys than those in the scheme of [3]. In fact, our keys are compa- 
rable in size to those used in similar ordinary signature schemes. 

Similarly to the scheme of [3] , our scheme is based on signature schemes that 
are derived from three-round identification protocols. Specifically, the scheme is 
based on a generalized version of Micali’s signature scheme [17], which is in many 
ways similar to the schemes of Ong-Schnorr [16], Guillou-Quisquater [13] and 
Ohta-Okamoto [19]. It is quite simple and efficient, although the computational 
efficiency of some components is less than that of the scheme of [3] . Our scheme 
can also be proven forward secure in the random oracle model, assuming factoring 
is hard. 

Other contributions. While [3] use reduction to identification schemes to 
prove security, we use a direct proof technique. This enables us to provide a 
tighter exact security analysis for our scheme than the indirect technique of [3] . 
In fact, our technique can also be applied to the scheme of [3] to obtain a tighter 
security analysis for that scheme (which we present in Section 3.5). 

We also present methods of achieving forward security in signature schemes 
without relying on random oracles. In general, they are less efficient than our 
main construction, and are not practical. However, they are still of interest, and 
can be viewed as an improvement on the tree-based construction of [3] . 

2 Definitions 

All definitions provided here are based on those given in [3] , which in turn are 
based on those given in [12] and [5]. Due to space constraints, we provide little 
discussion of our formal definitions; more discussion can be found in [3] and in 
the full version of our paper [1]. 


2.1 Forward-Secure Digital Signature Schemes 

A forward-secure digital signature scheme is, first of all, a key-evolving digital 
signature scheme. A key-evolving signature scheme is very similar to a standard 
one, except that its operation is divided into time periods, each of which uses 
a different secret key to sign a message. The keys are updated by an algorithm 
that computes the secret key for the new time period based on the current secret 
key. Note that the public key stays the same. 

Definition 1 . A key-evolving digital signature scheme is a quadruple of algo- 
rithms, FSIG = (FSIG. key, FSIG. update, FSIG. sign, FSIG.vf), where: 

— FSIG. key, the key generation algorithm, takes as input a security parameter 
k € N (given in unary as l k ) and the total number of periods T and returns 
a pair (SKq, PK), the initial secret key and the public key; 
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— FSIG. sign, the signing algorithm, takes as input the secret key SKj for the 
current time period j and the message M to be signed and returns a pair 
( j , sign), the signature of M for time period j; 

— FSIG. update, the secret key update algorithm, takes as input the secret key 
for the current period SKj and returns the new secret key SKj +i for the 
next period. 

— FSIG.vf, the verification algorithm, takes as input the public key PK , a mes- 
sage M, and a candidate signature (j,sign), and returns 1 if ( j,sign ) is a 
valid signature of M or 0, otherwise. 

It is required that FSIG.vf pk(M, FSIG.sign^. (M)) = 1 for every message M and 
time period j. We also assume that the secret key SKj for time period j < T 
always contains both the value j itself and the value T of the total number of 
periods. Finally, we adopt the convention that SKp + i is the empty string and 
that FSIG. updates^ returns SK T + i- I 

When we work in the random oracle model, all the above-mentioned algo- 
rithms would additionally have oracle access to a public hash function H, which 
is assumed to be random in the security analysis. 

Security. Forward-security for key-evolving signature schemes is defined simi- 
larly to the way security is defined for classical signature schemes in [12], except 
that the adversary is allowed, in addition to the usual adaptive chosen-message 
attack, to “break-in” and learn the secret key for a given time period. Its task 
is then to forge a signature on a new message for a time-period prior to the one 
whose secret key it learned. Formally, this adversary is modeled via the following 
experiment (in the random-oracle model). In this experiment, the adversary is 
denoted by F, and works in either the chosen-message attack stage (cma) or 
the forgery stage (forge). It indicates its desire to switch from cma to forge by 
outputing the string breakin. Its state is preserved between invocations. 

Experiment F-Forge-RO(FSIG, F) 

Select H : {0, 1}* — > {0, 1}* at random 
{PK, SK 0 ) 4- FSIG.key H {k, ...,T) 

j<- o 

Repeat 

3 j + 1 h 

SKj <- FSIG.update i/ (5FT i _i) ; d <- F H ’ FSIG ' sign ^ ( ' ) (cma, PK) 

Until (d = breakin) or (j = T) 

If d ^ breakin and j = T then j <— T + 1 
(M, {b, sign)) <- F H (forge, SKj) 

If FSIG.vf (M, ( b,sign )) = 1 and 1 < b < j 

and M was not queried of FSIG.signf^-) in period b 
then return 1 else return 0 
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Definition 2. Let FSIG be a key-evolving signature scheme, and F an adver- 
sary. We let Succ fwsig (FSIG[fc, . . . ,T],F) denote the probability that the exper- 
iment F-Forge-RO(FS\G[k, . . . ,T],F) returns 1. Then the insecurity of FSIG is 
the function 

InSec fwsig (FSIG [&,... ,T];f,g sig ,g hash ) = max{ Succ fwsig (FSIG [k, . . . ,T], F)} , 

where the maximum here is taken over all adversaries F making a total of at 
most q s i g queries to the signing oracles across all the stages and for which the 
running time of the above experiment (including the time needed to answer the 
adversary’s queries) is at most t and at most ghash queries are made to the 
random oracle H . | 

The insecurity function above follows the concrete security paradigm and 
gives us a measure of how secure or insecure the scheme really is. Therefore, we 
want its value to be as small as possible. 

2.2 Factoring 

Let A be an adversary for the problem of factoring Blum integers. That is, A 
gets as input an integer N that is the product of two primes, each congruent to 
3 modulo 4, and tries to compute these prime factors. We define the following 
experiment using notation from [3]. 

Experiment Factor (fc, A) 

Randomly choose two primes p and q, such that: 

p = q = 3 (mod 4), 2 fc_1 < (p — 1 )(q — 1), and pq < 2 k 
N <— pq 
(p'i q 1 ) A(N) 

If p'q' = N and p' ^ 1 and q' ^ 1 then return 1 else return 0 

Definition 3. [Factoring] Let A be an adversary for the problem of factor- 
ing Blum integers and let Succ fac (A, k ) denote the probability that experiment 
Factor(k,A ) returns 1. The insecurity of factoring Blum integers is the function 

InSec iac (k,t) = max { Succ fac (A, k) } , 

where the maximum here is taken over all adversaries A for which the above 
experiment runs in time at most t. I 

3 Our Scheme 

We start by explaining some number theory that provides intuition for our con- 
struction. We then present a slight variation of a signature scheme due to Mi- 
cali [17]. The scheme has similarities to the schemes of Ong-Schnorr [16], Guillou- 
Quisquater [13] and Ohta-Okamoto [19] and, like they, is based on the idea of Fiat 
and Shamir [10] for converting identification schemes into signature schemes. 
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We then modify the signature scheme to make it forward-secure, and prove 
its security. 

The schemes in this section are in the random oracle model. We will call the 
oracle H : {0, 1}* — * {0, 1}*. 

3.1 Number Theory 

Let k and l be two security parameters. Let pi = p 2 = 3 (mod 4) be two primes 
of approximately equal size and N = prp 2 be a fc-bit integer (such N is called 
a Blum integer). To simplify further computations, we will assume not only that 
N > 2 k ~ 1 , but also that \Z^\ = N — p 1 — p 2 + l> 2 fc_1 . Let Q denote the set of 
non-zero quadratic residues modulo N. Note that \Q\ > 2 fc-3 . Note also that for 
x € Q, exactly one of its four square roots is also in Q (this follows from the fact 
that —1 is a non-square modulo p\ and p 2 and the Chinese remainder theorem). 
Thus, squaring is a permutation over Q. From now on, when we speak of “the 
square root of x." we mean the single square root in Q: by x 2 we will denote 
the single y G Q such that x = y 2 . 

Let UgQ. Following [12], define F 0 (Z) = Z 2 mod N, FffZ) = UZ 2 mod N, 
and, for an i-bit binary string a = b\ . . .bi, define F a : Q — > Q as F a (Z) = 
F^i- . . (Fb 2 (Fb 1 (Z))) . . .) = Z 2l U c mod N (note that U a is a slight abuse of 
notation, because a is a binary string, rather than an integer; what is really 
meant here is U raised to the power of the integer represented in binary by a). 
Because squaring is a permutation over Q and U e Q, is a permutation over 

Q. 

Note that F a (Z) can be efficiently computed by anybody who knows N and 
U. Also, if one knows p\ and p 2 , one can efficiently compute Z = F~ 1 (Y) for 
a given Y (as shown by Goldreich in [11]) by computing S = 1/U 2 mod N 
and then letting Z = Y 2 S a mod N (these calculations can be done modulo 
Pi and P 2 separately, and the results combined using the Chinese remainder 
theorem). However, if one does not know the square root of U, then F~ x is hard 
to compute, as shown in the Lemma below (due to [12]). 

Lemma 1. Given Y e Q, two different strings a and r of equal length, Z\ = 
F“ 1 (F) and Z 2 = F~ 1 (Y), one can compute V G Q such that V 2 = U mod N. 

Proof. The proof is by induction on the length of the strings a and r. 

If | a | = |t| = 1, then assume, without loss of generality, that a = 0 and 
r = 1. Then F 0 {Zi) = FffZ 2 ) = Y, i.e., = VZ$ (mod N), so we can set 

V = Z\fZ 2 mod N. 

For the inductive case, let a and r be two strings of length to + 1. Let a' 
and t' be their m-bit prefixes, respectively. If F a i(Z i) = F T <(Z 2 ), we are done 
by the inductive hypothesis. Otherwise, the last bit of a must be different from 
the last bit of r, so, without loss of generality, assume the last bit of a is 0 and 
the last bit of r is 1. Then F 0 (F a > (Z 1 )) = Fi(F t >(Z 2 )), and the same proof as 
for the base case works here. 
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We will now provide a geometric interpretation of the discussion above. Con- 
sider a complete binary tree of depth l where each node stores a value in Q. 
The root (at the top of the tree) stores Y. The values at the children of a node 
that stores A are (A) at the left child and F^ X (A) at the right child. Then 
computing F~ 1 (Y) means finding the value at the leaf for which the path from 
the root is given by a (where right-to-left in a corresponds to top-to-bottom in 
the tree). 

It is clearly easy to compute the values “up” the tree from a given node. 
What the lemma says is that it is hard to compute the values “down” the tree 
without the ability to take square roots: in fact, if one knows two paths from 
the bottom of the tree, then one can get the square root of U by looking at the 
children of the point where the two paths join together. 

Finally, note that the value R stored at the bottom-left leaf of the tree is 
F 00 [ m (Y) = Y 2 , so if one knows S = 1/U 2 and R, then one can compute 
the value at any leaf (given by a) by computing RS a mod n. 

3.2 The 2 J -th Root Signature Scheme 

The discussion above suggests the following signature scheme, which is similar 
to the schemes of [16] and [17] (an interactive three-round identification scheme 
can be designed similarly). 

The signer generates a modulus N, picks a random S € Q to keep as its 
secret key, computes U = 1/S 2 and outputs ( N , U) as its public key. 

To sign a message M, it first generates a random R g Q and computes 
Y = R 2 . Note that this gives it the ability to find any leaf of the binary tree 
described above, rooted at Y. It therefore computes a = H(Y,M) and Z = 
F~ X {Y) = R,S a mod N which it outputs as the signature. 

The verifier checks that Z ^ 0 (mod N) and computes Y' = F a (Z) = 
Z 2 ‘u a (mod N). It then verifies that a = H(Y', M). 

We will not prove the security of this scheme here. The intuition, however, 
is the following: the verifier believes the signature because the signer was able 
to go down a random (given by H) path in the tree rooted at Y. Because the 
ability to go down two different paths implies the knowledge of the square root 
of U, the ability to go down a random path out of 2* probably also implies that 
knowledge. 

One point worth mentioning is that the verifier does not know if U, Z £ Q. 
All it knows is that U,Z ^ 0 (mod N), so either U,Z € Z* N or else one of the 
gcd’s ( U,N ), ( Z,N ) gives a factorization of N. We therefore need the following 
reformulation of Lemma 1. 

Lemma 2. Given Z\,Z 2 ,U S Z^ and two different strings a and r of equal 
length such that Z\ U a = Z\ U T (mod N), one can compute V e Z^ such 
that V 2 = U (mod N). 

Proof. The proof is the same as for Lemma 1. 
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In fact, now that we have this lemma, S and R picked by the signer need not 
be in Q: they can come from Z* N . 


3.3 The Forward- Secure Signature Scheme 

Note that the security of the above scheme hinges on the value S and the number 
l of squaring operations that separates it from U. It is S that allows the signer 
to go from the leftmost leaf of the tree to any leaf and it is l that determines 
the maximum depth of the tree. 

Thus, a reasonable way of making the scheme forward-secure is to start out 
with a deep tree, and to use smaller and smaller depths for subsequent time 
periods. Then new values of S can be obtained from old values of S simply by 
squaring. Old values of S cannot be recovered from new ones. 

While making the tree deeper, however, there is no need to make it any wider. 
The width of the tree is only used to ensure that a is sufficiently random, so the 
adversary cannot guess what a will be and thus forge a signature. Therefore, the 
tree will remain complete to a certain sufficient depth, and from that point, each 
node will only have the left child (given by F 0 -1 ). The length of a will remain 
the same ( l ). This will make the scheme more efficient. 

Now there is a question of how much up the tree we should go with each 
time period (that is, by how many squarings the current value of S should be 
separated from the previous value S'). Note that, in order to compute a signature 
with respect to S', one only needs S' a , not S' itself. Thus, if S = S' 2 (mod N) 
and the last x bits of a are 0, then S will allow one to compute the signature. 
Therefore, we should separate S from S' by \a\ squarings, so that a forgery is 
possible for exactly one value of a, as before. A smaller separation makes no 
sense without the corresponding reduction in the length of a and, therefore, the 
width of tree. 

Having given the intuition, we refer the reader to Figure 1 for the complete 
description of our forward-secure scheme. 


3.4 Security Analysis 

We state the following theorem that will allow us to upper-bound the insecurity 
function for this signature scheme. Its proof combines ideas from [20], [3] and 
[18]. The proof technique used here can also be used to improve the bound on 
the insecurity function of the forward-secure scheme of [3] (see Section 3.5 for 
more details). 

Theorem 1. If there exists a forger F for FSIG[A:,Z,T] that runs in time at 
most t, asking at most (/hash hash queries and q s i g signing queries, such that 
Succ fwsig (FSIG[fc, l, T], F) > e, then there exists an algorithm A that factors 
Blum integers generated by FSIG.key(Z,T) in expected time at most t' with prob- 
ability at least e', where 
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a signature (6, (Z, a)). Note that F had to ask a hash query on (6, Y. M) where 
Y = z 2k(T+1 U a — otherwise, the probability of its correctly guessing cr is at 
most 2~ l . Then, run F the second time with the same random tape, giving the 
same answers to all the oracle queries before the query ( b,Y,M ). For ( b,Y,M ) 
give a new answer r. Then, if F again forges a signature (6, (Z', r)) using Y and 
M, we will have a condition similar to that of Lemma 2, and will be able to 
compute a square root of v. Please refer to the full version of this paper [1] for 
the actual proof. 

Theorem 2. Let FSIG[fc, l,T\ represent our key evolving signature scheme with 
modulus size k, challenge length l, and number of time periods T. Then for any 
t, q s i g , and (/hash? 

InSec fwsis (FSIG[fc, l, T]:t, q sig , (/hash) < 

T^2( Qhash + l)InSec fac (M') + 2 ~ l T(q hash + 1) + 2 3 ~ k q sig (q hash + 1 ) , 
where t' = 2t + 0(k 3 + k 2 lT). 

Proof. The value for the insecurity function can be computed simply by solving 
for (e— 2 3-fc <z s ig(ghash+l))/r the quadratic equation in Theorem 1 that expresses 
s' in terms of e to get 

(e - 2 3 - fc 9sig (< ?hash + 1))/T 

= 2-'- 1 (g hash + 1) + ^2~ 2l ~ 2 (q hash + l) 2 + 2e'(< ?hash + 1) 

< 2-'- 1 (g hash + 1) + yj2- 2 '~ 2 (q ha , sh + l ) 2 + y/2e'(q hash + 1) 

= 2 *(<?hash + 1) + V^WTIj, 

and then solving the resulting inequality for e. 


3.5 Discussion 

Note that, for any reasonable choices of q s i g and (/hash, the minimally secure 
value for the modulus size k (which should be greater than 512) makes the term 
2 3-fe <7sig(<?hash + l) negligible. The term 2 - *T(ghash + 1) allows one to findavalue 
for l (the size of the hash values) that depends, mainly, on (/hash (which is the 
number of hash values an adversary is believed to be capable of computing). 
Finally, the term T y^2((/hash + l)InSec fac (&:, t’) allows one to find the value for 
k that depends, mainly, on the assumed insecurity of factoring and on (/hash 
(because T, which is related to the efficiency of the scheme, is probably much 
less than (/hash)- 

Using our direct proof technique, the bound on the insecurity of the scheme 
of [3] can be improved by a factor of almost ^ /T (/hash ([3] lose this factor by using 
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an indirect proof, which first reduces the security of the signature scheme to the 
security of the corresponding identification scheme). The resulting bound is 

T \j 2^(<Zhash + l)InSec fac (fc, t') + 2 ~ l T(q hash + 1) + 2 3 - fc g sig (g hash + 1) , 

which is worse than that of our scheme by a factor of at most \fl. Thus, the two 
schemes have almost the same security for the same parameters l, k, q SIg , (/hash- 

The size of both the public and the private keys in the scheme of [3] is about 
k(l + 1) bits, while the size of the keys is in our scheme is about 2k bits. So the 
keys in our scheme are about ( l + l)/2 times shorter. 

The efficiency of key generation and update algorithms is about the same for 
both schemes. 

Signing for both scheme can be decomposed into two components: off-line 
(before the message is known) and on-line (once the message is available). The 
off-line component for time period j for the scheme of [3] takes time T — j + 1 
modular squarings, while for our scheme it takes l times more. The on-line com- 
ponent takes about 1/2 multiplications for [3] and 3Z/2 for our scheme. However, 
because the on-line signing component in our scheme involves exponentiation of 
a fixed based, precomputation techniques are available. Specifically, if the signer, 
using a variation of the technique of Lim and Lee [15], precomputes 3 additional 
powers of Sj at the cost of increasing the secret key size by a factor of 2.5, 
the on-line component will take about l /2 multiplications — as long as in the [3] 
scheme. Precomputation of more values will reduce the on-line component of 
signing even further, at the expense of the secret key length and the efficiency 
of the update algorithm. 

Finally, verification for time period j for the scheme of [3] takes about T + 
1 — j + 1/2 modular multiplications, while in our scheme about l(T + 1 — j) + 31/2 
modular multiplications are needed. Again, precomputing powers of the public 
key may be used to reduce the 31/2 term, but this term is not very significant 
unless j is close to T. 

Thus, our scheme has slightly better security, much shorter keys, and compa- 
rable efficiency for the on-line component of signing. The efficiency of the off-line 
component of signing and that of verifying is worse, however. Because each secret 
key needs to be separated by l squarings from the previous one (Section 3.3), we 
believe that the efficiency of off-line signing and verifying cannot be improved 
without a significant change in the design idea. 

4 Schemes in the Standard Model 

Both our scheme above and the Bellare-Miner’s scheme were proven secure based 
on the hardness of factoring and on the assumption that the hash function H 
behaves like a random function. The main reason for this is that, when convert- 
ing an identification scheme to a signature scheme (a la Fiat-Shamir [10]), the 
challenge produced by the hash function should be as random as that produced 
by an honest verifier, so as to maintain the security of this transformation. 
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One way of avoiding random oracles in the design of forward-secure signature 
schemes is to use the binary certification tree method suggested by Bellare and 
Miner [3] . It works as follows. Each node of the tree represents a pair of keys, a 
secret key and the related public key, used for an (ordinary) signature scheme. 
At the leaf level, each key is associated to a certain time period. Thus, the 
total number of leaves equals the total number of time periods. Each key at an 
internal node is used to certify the keys of its two children. The public key for 
the forward-secure scheme is the public key at the root of the tree. To sign a 
message in a certain time period, we use the secret key of the corresponding 
leaf and attach to the signature a certification chain based on the path from the 
root to that leaf so that the verifier can check the validity of the key itself. To 
maintain forward security, nodes are created dynamically. The secret key of an 
internal node is deleted as soon as it certifies the keys of its children. At any 
time, we only keep those keys on the path from the root to the leaf associated 
to the current time period, plus the right sibling of those nodes which are the 
left child of their parents. Consequently, as Bellare and Miner already pointed 
out, the lengths of both the secret key and signature are logarithmic in the total 
number of time slots. 

Clearly, the scheme obtained via the binary tree certification method is less 
efficient than our scheme above and the random-oracle scheme of [3] . However, 
by properly instantiating the scheme, one can reduce its key length while main- 
taining its efficiency. The key observation for doing so is that we do not need the 
full power of ordinary signature schemes at the internal nodes, since they only 
need to certify two other nodes. Hence, we can use more “light-weight” schemes 
at these nodes, such as one-time signature schemes [9]. These are schemes which 
can only withstand single-message attacks, i.e. the signing key can be used only 
once. They are usually very efficient and have the potential for using smaller 
keys due to the restriction they impose on the attack. By using such schemes, 
we were actually able to achieve some improvements (see the full version of our 
paper [1]), but, unfortunately, given what is currently known, this still does not 
seem to give us a practical implementation without random oracles. 

Another way of avoiding the use random oracles in the design of forward- 
secure signature schemes is by using ideas of Cramer and Damgard [6]. They 
show how to convert a secure identification scheme of the type commit-challenge- 
respond (which they refer to as signature protocols) into a secure signature 
scheme without relying on random oracles. The transformation is based on the 
idea of authentication trees. In this model, each message has a leaf associated 
to it. Signing a message is simply a matter of computing the path, which they 
call authentication path, from the leaf associated with that message to the root. 
To avoid having to precompute and store the whole tree, nodes are created dy- 
namically in a way very similar to that of the GMR scheme. And like the GMR 
scheme, the resulting scheme is not memoryless and needs to remember the sig- 
nature of the previous message to be able to compute the next signature. The 
length of each signature also grows logarithmically with the number of signed 
messages. This can, however, be improved to give a memoryless scheme, using 
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the same modifications that Goldreich [11] suggested for the GMR scheme. The 
length of each signature will now be the same, although still logarithmic in the 
total number of messages ever to be signed. 

In the case of forward security, we would have to start with a forward-secure 
identification scheme (such as the one given in [3]), and then apply to it the same 
type of transformation described above with one main difference: we also have 
to account for the index of the current time period. But we can easily do so by 
simply replacing a message in the original case by a pair message-index in our 
case. Although we do not prove this result, our claim is that forward security 
will be preserved. The main advantage of such an approach is that we can obtain 
a signature scheme which is forward secure based solely on the security of the 
corresponding identification scheme (and thus, if we use the scheme of [3] , solely 
on the hardness of factoring). Moreover, the lengths of both the secret and public 
keys are independent of the total number of time periods. Its main disadvantages 
are that the resulting signature scheme would be far less efficient than the one 
we suggest in Section 3, and would have signatures whose length is a function of 
the total number of signed messages (and, therefore, related to the total number 
of time periods). 
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Abstract. A potentially serious problem with current digital signature 
schemes is that their underlying hard problems from number theory may 
be solved by an innovative technique or a new generation of comput- 
ing devices such as quantum computers. Therefore while these signature 
schemes represent an efficient solution to the short term integrity (un- 
forgeability and non-repudiation) of digital data, they provide no con- 
fidence on the long term (say of 20 years) integrity of data signed by 
these schemes. In this work, we focus on signature schemes whose se- 
curity does not rely on any unproven assumption. More specifically, we 
establish a model for unconditionally secure digital signatures in a group, 
and demonstrate practical schemes in that model. An added advantage 
of the schemes is that they allow unlimited transfer of signatures with- 
out compromising the security of the schemes. Our scheme represents 
the first unconditionally secure signature that admits provably secure 
transfer of signatures. 

1 Introduction 

Digital signatures are an important technology for ensuring the unforgeability 
and non-repudiation of digital data. While some data may only require the as- 
surance of integrity for a relatively short period of time (say up to 5 years) , some 
other important data, such as court records and speeches by a parliamentarian, 
require the assurance of integrity for a long period of time (say up to 50 years). 

Currently, digital signature schemes based on number theoretic problems 
are the prevalent methods used in providing data integrity. These schemes rely 
for their security on the assumed computational difficulty of computing certain 
number theoretic problems, such as factoring large campsites or solving dis- 
crete logarithms in a large finite field. RSA [20], Fiat-Shamir [11], ESIGN [19] 
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and many other schemes are based on the difficulty of factoring. On the other 
hand, ElGamal [10], Schnorr [24], DSA [9] and others, are based on discrete loga- 
rithms. Progress in computers as well as further refinement of various algorithms 
has made it possible to solve the number theoretic problems of larger sizes. As 
an example, in August 1999, a team of researchers from around the world suc- 
ceeded in cracking an 512-bit RSA composite by the use of the Number Field 
Sieve [3] over the Internet. One can safely predict that even larger composites 
will be factored in the future. In addition, one cannot rule out the possibility 
of the emergence of innovative algorithms that solve efficiently these number 
theoretic problems in the future. More importantly, in the past few years there 
has been significant progress in quantum computers. It has been known that 
quantum computers can solve both factoring and discrete logarithm problems 
with ease [25,1], hence advances in the design and manufacturing of quantum 
computers poses a real threat to the long term security of all the digital signature 
schemes based on number theoretic problems. 

The above discussions indicate the necessity of digital signature schemes that 
provide assurance of long term integrity. In the past decade, several attempts by 
various researchers have been made to address the problem. However, schemes 
proposed by these researchers are essentially variants of authentication codes, 
and none of these schemes has addressed the transferability of signatures among 
recipients. 

The major contribution of this work is to propose the first digital signature 
scheme that admits transferability, and provable unconditional security against 
impersonation, substitution, and transfer with a trap. A potentially useful prop- 
erty of our proposed scheme is that a public key of a user can be associated with 
the user’s unique name, resulting in an identity-based signature scheme. 


1.1 Related Work 

Chaum and Roijakkers [4] made the first attempt to construct an unconditionally 
secure signature scheme using cryptographic protocols. Their basic scheme was 
impractical, as it could only sign a single bit message. Furthermore, in their 
scheme, the level of security of a signature decreased as the signature moved 
from one verifier to another. In practice, it is important for a signature scheme 
to have transferability, i.e., its security is not compromised when a signature 
is transferred among users. Recently an improved version of Chaum- Roijakkers 
scheme has been proposed in [14]. However, the author of this improved scheme 
has not addressed the transferability of his signature scheme. 

In another development, Chaum, Heijst and Pfitmann proposed a different 
version of unconditionally secure signature schemes [5]. However, its uncondi- 
tional security was guaranteed only for signers. 

There have also been attempts to modify unconditionally secure authenti- 
cation codes [12,26] with the aim of enhancing the codes with extra security 
properties. It is tempting to transform an unconditionally secure authentication 
code into a digital signature. There are, however, two technical hurdles that are 
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hard to overcome. First, authentication codes, especially the conventional Carte- 
sian authentication codes, do not provide the function of non-repudiation, as a 
receiver can easily forge a sender’s message and vice versa. Second, the receiver 
is always designated, meaning a signature cannot be verified by another party 
who does not have the shared key. These two properties must be removed for an 
authentication code to be converted into a digital signature. 

An extension of authentication codes is authentication codes with arbitration 
or A 2 -codes [27,28,15,16,18,14]. These codes involve a trusted third party called 
an arbiter. The arbiter can help resolve a dispute when a receiver forges a sender’s 
message or the sender claims that a message is forged by the receiver. A 2 -codes 
have been further improved to require a less trustworthy arbiter. These codes 
are called A 3 -codes [2,7,13,29,14,30]. A property shared by both codes is that 
the receiver of a signature has to be designated. 

As yet another extension, multi-receiver authentication codes (MRA) [8,21,14] 
have been extensively studied in the literature. With a MRA scheme, a broadcast 
message can be verified by any of the receivers. Although earlier MRA schemes 
required the sender to be designated, the so-called MRA with dynamic sender 
or DMRA have been proposed [22,23] to relax the requirement of a designated 
sender. It is important to note that these schemes make sense only in broadcast- 
ing. If MRA or DMRA is used for point-to-point authentication, then the sender 
can easily generate a fraudulent message that is accepted by the receiver, but 
not by other participants. The situation is made complex due to the fact that 
the same fraudulent message may have been generated by the receiver himself. 
A further problem is that MRA or DMRA does not provide transferability. In 
particular, if an authenticated message is transferred from one verifier to an- 
other, the second verifier can forge a message that appears to be perfectly valid 
to the next verifier. For the above reasons, neither MRA nor DMRA satisfies the 
non-repudiation requirement of a digital signature. 

In summary, although unconditionally secure authentication codes can be 
enhanced to satisfy some of the properties of a digital signature, not all of the 
requirements can be fulfilled. Especially, none of the enhanced authentication 
schemes had addressed transferability. 


1.2 Main Results 

In this paper, we present an unconditionally secure identity-based signature 
scheme. First, we propose a novel model of a signature system called an Identity- 
based Signature Schemes for Unconditional Security in a Group (ISSUSG). As an 
example implementation of the model, a concrete (n,uj,if,pi,p2)-secure scheme 
in ISSUSG is demonstrated, where n indicates the total number of users, w the 
maximum number of “bad” users who may collude, if is the maximum num- 
ber of signatures a user is allowed to generate, and p\ and p -2 indicate the best 
probabilities for an attacker to succeed. 

Our approach is an information theoretic one, and the security of our scheme 
does not rely on any assumption on the computational power of an attacker. 
Therefore, when the parameters of our scheme are properly chosen, the security 
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of the scheme will not be affected by future advancement in computing or an al- 
gorithmic breakthrough in number theory. An important property of our scheme 
is that it admits unlimited transfer of signatures from one user to another, with- 
out compromising the security of the signature scheme in any way. A further 
advantage is that the scheme can be made identity-based by associating the 
unique name of a user to the signature generation and verification algorithms. 
The scheme is shown to achieve the lower bound on the required memory size 
of a signature. 

As a by-product, we note that our unconditionally secure digital signature 
scheme can be used as an A 3 -code and also as a DMRA. In fact, one may view 
our scheme as one that fulfills the requirements of both an A 3 -code and a DMRA 
scheme. 

The organization of the remaining part of this paper is as follows: In Sec- 
tion 2, we present our new model of an identity-based signature scheme for 
unconditional security, which we call an Identity-based, Signature Scheme for 
Unconditionally Security in a Group (ISSUSG). In Section 3, a concrete uncon- 
ditionally secure identity-based signature scheme in the model is proposed. In 
Section 4, some remarks related to our scheme are discussed. Section 5 presents 
the system-parameter settings when practical memory devices are used. In Sec- 
tion 6, we discuss how to handle long messages in our scheme. Finally, Section 
7 concludes the paper with some final remarks. 

2 The Model 

In the model we consider, signatures are assumed to work in a group. Namely, 
only members in the group can generate and/or verify signatures. New users 
are allowed to join the group even after the system is set up, as long as the 
total number of users does not exceed a pre-defined threshold (this threshold is 
denoted by n). When the threshold is sufficiently large, in practice our signature 
scheme can be used in many applications when conventional public key signature 
schemes are used. Therefore, the group orientation of our scheme should not 
present any difficulties in practical applications. 

We assume that there is a trusted authority, denoted by TA, and n users 
U = {Ui, U 2 , • • • , U n } . For each user Ui G U (1 < i < n), for convenience we 
use the same symbol £7* to denote the identity of the user. The TA produces 
a pair of signing and verification-keys on behalf of a user. Once being given a 
pair of keys, a user can then generate and/or verify signatures by using his own 
signing-key and verification-key, respectively. A more formal definition is given 
below: 

Definition 1 A scheme II is an Identity-based Signature Scheme for Uncondi- 
tional Security in a Group (ISSUSG) if it is constructed as follows: 

1. Notation: 

n consists of (TA, U, M,S,V, A, Sig. Ver ), where 

— TA is a trusted authority, 

— U is a finite set of users (to be precise, users’ unique names), 
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— M. is a finite set of possible messages, 

— S is a finite set of possible signing-keys, 

— V is a finite set of possible verification-keys, 

— A is a finite set of possible signatures, 

— Sig : <S x M. — > A is a signing-algorithm, 

- Ver : M x AxV xU — > {accept, reject} is a verification-algorithm. 

2. Key Pair Generation and Distribution by TA: 

For each user Ui £ U, the TA chooses a signing-key Si £ S and a verification- 
key Vi £ V, and transmits the pair ( ) to Ui via a secure channel. After 
delivering these keys, the TA erases the pair ( Si,Vi ) from his memory. And 
each user keeps secret both his signing-key and verification-key. 

3. Signature Generation: 

For a message m £ M., Ui generates a signature a = Sig(sj,m) £ A by 
using the signing-key in conjunction with the signing-algorithm. The pair 
(m,a) is regarded as a signed message ofUi. 

4. Signature Verification: 

On receiving (to, a) from Ui, a user Uj checks whether a is valid by using 
his verification-key Vj. More precisely, Uj accepts (to, a) as a valid, signed 
message from Ui if and only if Ver (to, a, Vj, Ui) = accept. 

The main difference between our definition of signature schemes and that of 
conventional ones based on public-key cryptography lies in the fact that in our 
model each user is required to keep secret both his signing-key and verification- 
key. 

In order to discuss in a formal way the security of a signature scheme in 
our model, we define the probability of success of various types of attacks. We 
consider three broad types of attacks: impersonation, substitution and transfer 
with a trap. Of these attacks, the first two are usually taken into account in 
discussing the security of authentication codes, especially A 1 2 -codes, A 3 -codes, 
and MRA codes. The third type of attacks, transfer with a trap, is new, and will 
be formally defined later. 

Consider the case where there are n users among whom up to u> user may 
be dishonest (and hence may collude). Each user is allowed to sign up to ip 
signatures. We now discuss in a more formal way the three types of attacks. 

1) Impersonation: 

t users, with t < u, launch an attack against a pair of users Ui and Uj by 
generating a signed message with the hope that Uj accepts it as being a valid 
signature from Ui. This attack may be executed after the colluders observe 
at most ip(n — 1) signed messages generated by users other than Ui. 

2) Substitution: 

t users, with t < u>, construct a fraudulent message m' to replace a message 
genuinely signed by Ui, with the hope that Uj will accept it as being an 
authentic message from Ui. This attack may be executed after the colluders 
observe at most ipn signed messages generated by any users. Among the 
observed messages, at least one but up to ip may be generated by Ui. 
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3) Transfer with a trap: 

After Uj receives a valid pair (to, a) from U,. , t colluders, where t < u>, 
attempt to generate a new pair (to, a') with a a'. Note that both the 
singer f7* and the user Uj could be among the colluders. The colluders hope 
that another user Uk will accept (to, a') as being a valid message-signature 
pair from Ui, but no other users will. The risk with this attack is that when 
Uj transfers such a pair ( to , a') to Uk and Uk then transfers it to another 
user Ui, Ui finds that the pair is invalid. When this happens, Uk is in a sense 
trapped by the colluders. 

To formally define the probabilities of success in the above three attacks, 
some notations are introduced first. 

Let W := {W C U\ W < uj}. Each element of VV represents a group of 
possibly colluding users. Let sw and vw be the set of signing-keys and that of 
verification-keys for a W £ W, respectively. 

Definition 2 The success probabilities of impersonation, substitution and trans- 
fer with a trap attacks, denoted by Pi, Ps and Pt respectively, are formally 
defined as follows: 

1) Success probability of impersonation: for W £ W and Ui,Uj £ U with 
U u Uj <£ W, we define Pi(Ui, Uj, W) as 

Pi(Ui,Ui,W) := max max max max 

sw,vw x<k<n.ki-i (m,a) 

Pr {Uj accepts (to, a) as valid from Ui\sw, v w, ( c fc})> 

where Ck = {(m^, ctk,i)} is taken over a family of possible sets of valid signed 
messages generated by Uk (1 < k < n, k ^ i) such that 0 < |c* | < ip (1 < 
k <n, k %). Note that mk,i are not necessarily distinct. Then, Pi is given 
as 


P r := max Pr (Ui,Uj,W) 

Ui,Uj,W J 

where WeW and U h Uj £ U with U„ Uj £ W. 

2) Success probability of substitution: for W £ W and Ui, Uj £ U with Ui, Uj £ 
W, we define P s (Ui,Uj,W) as 

Ps(Ui,Uj,W) := max max max max 

3 sw,vw 1 <k<n (m.a) 

Pr(f7j accepts (m,a) as valid from Ui\sw> v w, { c fc}) 

where Ck = {{mk,i,(Xk,i)} is taken over a family of possible sets of valid 
signed messages generated by Uk (1 < k < n) such that 0 < |c»| < ifj and 
0 < \ck\ < ip (1 < k < n, k^fii), and (to, a) is taken such that m mij for 
any l. Note that mk,i are not necessarily distinct. Then, Ps is given as 

P s := max Pt{U u Uj,W) 

Ui,Uj,w J 

where IT 6 W and Ui. Uj £ U with Ui, Uj W. 
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3) Success probability of transfer with a trap: for W e W and Ui, Uj e U with 
Uj £ W we define P T (Ui, Uj , W ) as 


P T (Ui,Uj,W) 


max max 

)} (m,a) ( m,a ') 


Pr(?7j accepts ( m,a ') as valid from Ui\sw,vw, {c*;}, (rn, a)) 


where Ck = {(rn*^, a^/)} is taken over a family of possible sets of valid 
signed messages generated by Uk (1 < k < n, k ^ i) such that 0 < |cjt | < 
ip (1 < k < n, k ^ i), (m, a) is taken over the set of possible signed messages 
generated by Ui, and a' is taken such that a ^ a! . Then, Pt is given as 


P T := max Pr(C/ i; 17, , W) 

Ui,Uj,W J 

where WeW and U h Uj e U with Uj <£ W. 

Now we are ready to define the concept of an (n,uj,ip,pi,p 2 )-secure ISSUSG 
signature scheme. Here both pi and p -2 are security parameters whose meanings 
will be made precise in the following definition. 


Definition 3 Let II be an ISSUSG with n users. Then, II is (n,u,ip,pi,p 2 )- 
secure if the following conditions are satisfied: as long as there exist at most u> 
colluders and each user is allowed to generate at most if signatures, the following 
inequalities hold: 

ma x{Pj, P s } < Pi 
Pt < P2 


where Pi, Ps and Pt are the probabilities of success in impersonation, substitu- 
tion and transfer with a trap attacks, respectively. 


We note that there is an alternative definition of security in which one may 
use a single security parameter p instead and define the success probability as 

max{P/, P s , Pt} <P- 


In practice, however, some applications may attach more weight to strength 
against impersonation and substitution than against transfer with a trap, while 
some other applications may have an emphasis on robustness against transfer 
with a trap. By introducing two separate parameters p\ and pi, we have an 
opportunity to design a signature scheme with fine-tuned level of security. 


3 Implementation 

3.1 Protocol 

In this section, an implementation of the ISSUSG will be presented. It is con- 
structed by the use of a polynomial with uj + 2 variables over a finite field. 

As before, let U := {U\, U 2 , • • • , U n } be the set of n users and TA the trusted 
authority. 
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1. Key Pair Generation and Distribution by TA: 

Let F q be the finite field with q elements such that q > n. The TA picks 
uniformly at random n elements Vi, V 2 , ■ ■ ■ , v n in F q for users U\, U 2 , ■ ■ ■ , U n 
respectively, and constructs a polynomial F(x, t/i, . . . , y u , z) as follows: 

F(x,y 1 ,...,y UJ ,z) = EE aiokX z z k + EEE a ijk x l y j z k 

1=0 k = 0 1=0 j=l k = 0 

where the coefficients a^-fc are chosen uniformally at random from F q . More- 
over, we assume that a user’s identity Ui and a message m are also from 

F q - 

For each user Ui (1 <l<n), the TA computes a signing-key si := 

F(Ui,yi, . . . ,y u ,z), and a verification-key vi := F(x, vi,z). vi and i>i together 
form a pair of verification- keys for user U[. The TA then sends both the 
signing-key and the pair of verification-keys to Ui over a secure channel. 
Once the keys are delivered, there is no need for the TA to keep the user’s 
keys. 

2. Signature Generation: 

For a message m e F q , Ui generates a signature by 

a = F(Ui,y 1 , . . .,y u ,z) \ z = m = F{U u yi, .... y^. m) 

using his signing-key. 

3. Signature Verification: 

On receiving (m, a) from U , , user Uj checks whether a is valid by the use of 
his verification-keys vj and v ) . More specifically, Uj calculates evaluation val- 
ues tt, b 2 using his verification-keys Vj = F(x, Vj,z) and Vj := (vij , . . . , v u ,j) 
as follows: 


n := F(x,Vj,z )\ x = Uuz = m , 
r-2 := a| 

Uj accepts (m, a) as being a valid message-signature pair from U t if and only 
if ri = r2- 

We can show that the above signature scheme is an (n,u,ip ,( | — In- 
secure ISSUSG scheme. 

Theorem 1 The above scheme results in an (n,cj,ip, (§ — =r), | )-secure ISSUSG 
scheme. 

Due to the lack of space, the proof of Theorem 1 is omitted. It will be provided 
in the full version of this paper. 

The above scheme can be modified slightly, resulting in yet another 
|, ^j)-secure ISSUSG scheme. 
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Theorem 2 In the above construction, the following modification produces also 
an (n,w,ip, jpg -)-secure ISSXJSG scheme: 

Instead of choosing randomly, the TA may choose n elements Vi, ... ,v n G , 
as verification-keys, such that for any w + 1 vectors 

the u + 1 new vectors (1, Vi.^ , . ■ . • . . , (1, «i ,i„ +1 , • • • ,v u , i i w+1 ) are linearly 

independent. 

Note that our scheme can be used in place of an authentication code, MRA or 
DMRA. In fact our scheme is cryptographically stronger than the authentication 
codes, with an added benefit of being transferable, although it requires more 
memory space than MRA and DMRA. 

3.2 Memory Sizes 

The following theorem states the required memory size for our construction, and 
its proof is obvious. 

Theorem 3 The required memory size in the above constructions is given as 
follows: 

|A| = q^ u+r> , (size of signature) 

|<S| = < 2 '( w+1 )W' +1 ), (size of signing-key) 

|V| = q a,+n( -^ +1 \ (size of verification-key). 

Corollary 1 The construction proposed in Theorem 2 is optimal in terms of 
the memory size of a signature. 

The proof follows from [23] . 

It is not yet clear to the authors as to whether the scheme also achieves 
optimality in terms of memory size for signing-keys and verification-keys. 

4 Some Remarks on Our Scheme 

This section shows useful extensions of the scheme presented above, and discusses 
some of the properties of the scheme. More detailed discussions will be provided 
in the full version of this paper. 

4.1 Signature Scheme for t Senders 

In some applications, users who might sign are specified first. When there are 
only t specified senders in the system, we can easily specialize our scheme to 
produce a signature scheme for t senders. Namely, by changing the degree n— 1 of 
x in F(x, 2 / 1 , - • • ,y w ,z) to t— 1, a signature scheme for t senders is obtained. Based 
on this restriction, the required memory for verification-keys can be reduced from 
qu+n(g>+ 1 ) to gw+t(v>+i) _ Note that the required memory sizes for signatures and 
signing- keys are still the same as in the non-restrictive scheme. 
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4.2 Arbiter 

We can also introduce an arbiter which can resolve a dispute between a signer 
and a recipient. In one such implementation, the arbiter will be given a pair of 
verification-keys, whereas no user will. The arbiter can notify users of the result 
of verification of a signature. We note that any user can play the role of an 
arbiter for other users. 

4.3 Reduction of Memory Size for Verification-Key 

In the proposed schemes in Section 3, the degree of x in F(x,yi, ■ ■ ■ ,y u ,z) is 
set as n — 1. If the degree of x is uj + d instead (d < n — uj — 2), the system 
may be attacked as follows: when the same message is signed by d + 1 signers, uj 
colluders can forge a victim’s signature of the same message by using their own 
secrets and the generated signatures. To prevent the scheme from this attack, 
the degree of x is set to n — 1 , which is the primary contributor to the required 
memory size of verification- keys. 

If in a practical system it is known that the chance for the same message to be 
signed by d+ 1 signers is extremely small, the degree of x may be set to be smaller 
than n — 1. This will reduce the required memory size for verification-keys. 

4.4 Active Attacks against Verification-Keys 

As already discussed earlier, the proposed scheme is unconditionally secure 
against passive attacks. In an active attack, an adversary may manage to obtain 
some information on verification- keys. As an example, by selecting a random 
element from F" +1 as a forged signature and obtaining the verification result 
from a targeted victim, the adversary obtains some information on the victim’s 
verification-key. We can show that the information obtained does not help suc- 
ceed with a non-negligible probability in impersonation, substitution or transfer 
with a trap. Thus such an active attack is not an issue in practice. Details will 
be presented in the full paper. 

5 Practical Systems Based on Memory Devices 

In this section, we discuss the values of security parameters in the proposed 
schemes. Table 1 shows the value of ip according to the values of the number of 
users and memory devices which may contain users’ signing-keys, assuming the 
worst case where uj = n— 1. One can see that using commonly available memory 
devices, the number of signatures that can be generated by a user is sufficiently 
large even for a large organization that has 1,000 to 10,000 users. 

Table 2 gives data on a more realistic setting. One can see that compared 
with the previous table, the number of signatures that can be signed by a user 
increases significantly. 

We note that the capacity of memory devices is getting larger and larger, 
and their prices are dropping as fast. This helps significantly the usability of the 
proposed signature scheme. 
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Table 1. The number of signatures a user can generate, assuming that \q\ has 
160 bits and u; = n — 1. 


|| n — 1, 000 | n — 10, 000 | n = 100, 000 \n = 1, 000, 000 1 


2HD disk( 1.44MByte) 

71 

6 

0 

0 

ZIP( 100MByte) 

4,999 

499 

49 

4 

CD-R(650MByte) 

32,499 

3,249 

324 

31 

DVD-RAM (5 . 2GByte) 

259,999 

25,999 

2,599 

259 


Table 2. The number of signatures a user can generate, assuming that |g| has 
160 bits and w is determined appropriately for each n. 



n= 1,000 

n= 10,000 

n = 100, 000 

n= 1,000,000 


u> = 500 

oj = 2, 000 

w = 10, 000 

ui = 50, 000 

2HD disk( 1.44MByte) 

142 

34 

6 

0 

ZIP (100MByte) 

9,979 

2,497 

498 

98 

CD-R(650MByte) 

64,869 

16,240 

3,248 

648 

DVD-R AM (5 . 2GByte) 

518,961 

129,934 

25,996 

5,198 


6 On Handling Long Messages 

In our proposed scheme, the length of messages to be signed is restricted to be 
\q\ or less. An important question that is yet to be addressed is how to handle 
longer messages, without significantly increasing the size of such a message. 

In practice, one may use the technique of applying a one-way hashing to 
a long message prior to signing it. Some examples of one-way hash algorithms 
are SHA-1 [17], HAVAL [31] and RIPEMD-160 [6], Although this will lose the 
unconditional security property of the proposed signature scheme, we note that a 
good one-way hash function would remain secure even if one employed quantum 
computers in attacking it. 


7 Conclusions 

We have proposed unconditionally secure identity-based signature schemes. More 
specifically, we have established a model for unconditionally secure digital signa- 
tures in a group, and demonstrated practical schemes in that model. An added 
advantage of the scheme is that it allows unlimited transfer of signatures without 
compromising the security of the scheme. Although there is a limit on the num- 
ber of signatures a user can generate, this limitation is not an issue in practice 
thanks to the development in inexpensive memory devices with a huge capacity. 
Specifically, by using a DVD-RAM, 25,999 signatures can be generated by a user 
in an organization of 10,000 employees. 
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We are currently working on other possible implementations of ISSUSG, as 
well as the problem on how to sign long message without losing unconditional 
security. 
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Abstract. Since the introduction of secure multi-party computation, all 
proposed protocols that provide security against cheating players suffer 
from very high communication complexities. The most efficient uncondi- 
tionally secure protocols among n players, tolerating cheating by up to 
t < n/3 of them, require communicating 0(n 6 ) field elements for each 
multiplication of two elements, even if only one player cheats. 

In this paper, we propose a perfectly secure multi-party protocol which 
requires communicating 0(n 3 ) field elements per multiplication. In this 
protocol, the number of invocations of the broadcast primitive is inde- 
pendent of the size of the circuit to be computed. The proposed tech- 
niques are generic and apply to other protocols for robust distributed 
computations. 

Furthermore, we show that a sub-protocol proposed in [GRR98] for im- 
proving the efficiency of unconditionally secure multi-party computation 
is insecure. 


1 Introduction 

1.1 Secure Multi-party Computation 

The goal of secure multi-party computation, as introduced by Yao [Yao82], is 
to enable a set of n players to compute an arbitrary agreed function of their 
private inputs. The computation must guarantee the correctness of the outputs 
while preserving the secrecy of the players’ inputs, even if some of the players 
are corrupted by an active adversary and misbehave maliciously. 

As the first general solution to this problem, Goldreich, Micali, and Wigder- 
son [GMW87] presented a protocol, based on cryptographic intractability as- 
sumptions, which allows n players to securely compute an arbitrary function even 
if an adversary corrupts any t <n / 2 of the players. In the secure-channels model, 
where bilateral secure channels between every pair of players are assumed, Ben- 
Or, Goldwasser, and Wigderson [BGW88] and independently Chaum, Crepeau, 
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and Damgard [CCD88] proved that unconditional security is possible if at most 
t < n/3 of the players are corrupted. In a model where additionally physical 
broadcast channels are available, unconditional security is achievable if at most 
t < n/2 players are corrupted [RB89, Bea91b, CDD+99]. 


1.2 Efficiency Considerations 

All proposed multi-party protocols that provide security against misbehaving 
players suffer from high communication complexities. This is in sharp contrast 
to their private (but non-resilient) counterparts, for which reasonably efficient 
solutions are known [BGW88]. The communication overhead of resilient multi- 
party protocols over private protocols is due mainly to the sophisticated tech- 
niques for achieving resilience against faults. Specifically, these techniques make 
extensive use of a broadcast primitive, which must be realized with a protocol for 
Byzantine agreement (e.g., [PSL80, DFF+82, FM88, BGP89, CW89]). Such pro- 
tocols are very communication-intensive. The necessity of the broadcast channel 
is independent of whether or not actual faults occur: often broadcast is used 
to complain about an inconsistency, but when no inconsistency is detected, the 
players must nevertheless broadcast a confirmation message (the inherent infor- 
mation of the message is one bit). Many researchers take a broadcast channel for 
granted, neglecting the fact that this primitive does not exist in most realistic sce- 
narios for distributed computing, and hence must be simulated. Broadcast is an 
efficiency bottleneck, in both information-theoretic and cryptographic settings; 
reducing the number of broadcast invocations is therefore crucial for reducing 
the overall communication complexity of distributed protocols. 

There is a line of research that focused on reducing the communication com- 
plexity of multi-party protocols. First, several works [BB89, BMR90, BFKR90] 
concentrated on reducing the round complexity of such protocols. However, the 
price for the low round complexity is a substantially increased message complex- 
ity. With the current results, namely 0(n 6 ) field elements per multiplication, the 
main efficiency bottleneck seems to be the message complexity rather than the 
round complexity. First steps towards lower message complexities were taken in 
[BFKR90]. The proposed protocol is very efficient, but it only tolerates adver- 
saries corrupting up to t = 0(log n) players. Protocols with optimal resilience 
(i.e., t < n/3) were proposed in [FY92] and in [GRR98]. Their approach is to 
first perform a private protocol with fault-detection (for the whole protocol in 
[FY92], and for a part of the protocol in [GRR98]), and only in case of faults 
to repeat the computation with a slow but resilient protocol. Although this ap- 
proach can improve the best-case complexity of the protocol (when no adversary 
is present), it cannot speed up the protocol in the presence of a malicious ad- 
versary: a single corrupted player can persistently enforce the robust but slow 
execution, annihilating (and even inverting) any efficiency gain. 
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1.3 Contributions 

This paper significantly improves the message complexity of unconditionally 
secure multi-party computations, without increasing the round complexity in a 
relevant manner. We consider a set of n players, where up to t < n/3 of them can 
be corrupted by a computationally unbounded, adaptive, active adversary. We 
present a protocol that allows the players to securely compute an agreed function 
specified as an arithmetic circuit over a finite field F, requiring communication 
of 0(mn 3 ) field elements, where m denotes the number of multiplication gates 
in the circuit. The total number of invocations of the broadcast primitive in the 
whole protocol is only 0(n 2 ), independent of the circuit size. 

This is to be compared with the most efficient unconditionally secure protocol 
known so far, namely the protocol of Beaver [Bea91a], which requires 0(mn 6 ) 
field elements. Other protocols whose goal is to improve the message complex- 
ity of unconditionally secure multi-party protocols [FY92, GRR98] fail to do so 
in the presence of faults. The new protocol improves even on the cryptographi- 
cally secure protocol [GRR98] , which communicates 0(mn 4 ) field elements 1 (but 
tolerates up to t < n/2 corruptions). Recently, a protocol with cryptographic 
security for evaluating Boolean circuits was proposed in which 0(mn 3 k ) bits 
are communicated, where k is a security parameter [CDNOO]. The round com- 
plexities of all considered protocols are essentially equal. All stated complexities 
include the costs of simulating the broadcast channels by a protocol for Byzan- 
tine agreement. 

The techniques that allow this speed-up are generic and apply to many proto- 
cols for general multi-party computation as well as to special-purpose protocols, 
in both the cryptographic model and the information-theoretic model. One key 
technique is player elimination. In contrast to previous protocols where only 
evident misbehavior leads to elimination and where slowing down the protocol 
is still possible without being detected, we proceed more rigorously: Whenever 
a fault occurs (and slows down the protocol execution), a set of players which 
contains at least a certain number of corrupted players (but possibly also some 
honest ones) is identified and eliminated from the further protocol execution. 
This ensures that faults occur only rarely, namely at most t times during the 
entire computation, which in turn allows to reduce the number of consistency 
checks performed in the protocol: Rather than after each gate, the consistency 
checks are performed only after a sequence of gates, a so-called segment. During 
the entire computation, up to t segments can fail and require re-computation, 
but with an appropriate size of the segments, the total cost of re-computation 
will be much smaller than the savings due to the reduced number of the checks. 

Furthermore, we show that the very efficient protocol of [GRR98] for the 
verification of equality of shared values is insecure (cf. App. A), thus invalidating 
previously stated efficiency improvements. 


In this protocol, the field 


be large for security reasons. 
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1.4 Outline 

In Sect. 2 we introduce the general framework for efficient resilient protocols. 
This framework is not specific for multi-party computation. The new multi- 
party computation protocol is described in Sect. 3, and its efficiency is analyzed 
and compared with known protocols in Sect. 4. Finally, some conclusions and 
open problems are mentioned in Sect. 5. 

2 Framework for Efficient Resilient Protocols 

2.1 Introduction 

Distributed protocols resilient against misbehavior of some of the players re- 
quire in general much more communication than their private (but non-resilient) 
counterparts, even when no cheating occurs. The reasons for this contrast are 
two-fold: First, in a model where players might deviate from the protocol, expen- 
sive consistency checks must be performed frequently, and agreement must be 
reached on whether or not faults occurred. Second, if indeed at least one player 
misbehaves, then inconsistencies will occur, and costly fault-recovery procedures 
must be applied. Note that the consistency checks are necessary even when no 
cheating occurs, whereas fault recovery is necessary only when at least one player 
misbehaves. 

In this section, we describe a framework for efficient resilient protocols that 
overcomes these disadvantages. The key idea is to eliminate at least one malicious 
player (and potentially some honest players) each time a fault is detected. Hence 
the number of fault-recovery invocations is bounded by the maximal number of 
corrupted players and is independent of the length of the protocol. Furthermore, 
the resulting seldom occurrence of faults allows to reduce the frequency of con- 
sistency checks and thereby to significantly reduce the communication-overhead 
caused by them. 

The techniques presented in this section apply to many applications in several 
models, including those relying on intractability assumptions. The adversary can 
be static or adaptive, but not mobile: A mobile adversary [OY91, CH94] may 
release some of the corrupted players during the protocol execution and thereby 
regain the capability of corrupting new players, which contradicts the idea of 
elimination of corrupted players. 

2.2 Incorporating Resilience into a Private Protocol 

We consider a private protocol that proceeds in rounds (e.g., in each round one 
gate is evaluated) and wish to execute this protocol in a resilient manner. In 
contrast to the classical approach to resilient protocols, where after each round 
some consistency checks are performed and agreement on whether or not a fault 
occurred is reached, we divide the protocol into segments, each consisting of a 
sequence of rounds, and only at the end of each segment the consistency of the 
data held by the players is checked and the players agree on whether or not a 
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fault occurred ( fault detection). If a fault is detected, then a set of players is 
identified which contains at least a certain number of cheaters ( fault localiza- 
tion), the players in the set are eliminated from the further protocol execution 
( player elimination), and the failed segment is repeated ( fault correction). If pri- 
vacy is an issue, then after each round some checks must be performed, but no 
agreement must be reached on the fact whether or not a fault occurred {weak 
fault detection). 

During a protocol consisting of m rounds, the classical approach invokes m 
times fault detection and, if at least one player misbehaves permanently, m times 
fault-recovery. In our approach, where the protocol is divided into segments of 
m s rounds, only the weak fault detection is invoked m times. Fault detection is 
performed m/m s times, and fault localization, player elimination, and fault cor- 
rection are invoked at most t times. By selecting m s appropriately, the overhead 
for the (in total up to t) repetitions of a segment will not dominate the total 
complexity of the protocol, and the costs of fault detection and fault localization 
are independent of m (and polynomial in n). In many applications, this will 
significantly reduce the overall complexity of the protocol. 

We now describe the steps in more detail: 

1. Private computation with weak fault detection. All rounds of the seg- 
ment are computed according to the private computation. The computation 
of this step must be verifiable, i.e. it must be possible to check later (see be- 
low) whether or not any faults occurred. However, robustness is not required, 

i.e. if faults occur, then the computation may fail (in such a case it must be 
possible to perform an appropriate fault localization, see below). In order 
to preserve privacy even in case of faults, consistency checks are performed 
after each round, and every player sends to every other player one bit indi- 
cating whether or not he observed an inconsistency. A player who observed 
or was informed about an inconsistency will use default (random) dummy 
values unrelated to the actual values in all further rounds of the segment. 

2. Fault detection. The goal of fault detection is to reach agreement on 
whether or not a fault occurred during the current segment. Typically, fault 
detection is achieved by having every player broadcast (with a protocol for 
Byzantine agreement) a binary message according to whether or not he ob- 
served or was informed about an inconsistency in any round of the current 
segment, and a fault is detected if at least one player complains. The follow- 
ing steps 3. to 5. are performed if and only if a fault is detected. 

3. Fault localization. The purpose of fault localization is to find out which 
players are corrupted or, because agreement about this can usually not be 
reached, at least to narrow down the set of players containing the cheaters. 
The output of fault localization is a set V with \D\ = p players, guaranteed 
to contain at least r cheaters, denoted as (r,p) -localization. 

4. Player elimination. The set T> agreed upon during fault localization is 
eliminated from the further computation. In general, after eliminating the 
players in V, the protocol cannot be continued immediately, but it must be 
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transformed to capture the new setting with n — p players and at most t — r 
cheaters. 

5. Fault correction. Since some players are eliminated whenever a fault is 
detected, faults can be corrected simply by repeating the current segment of 
the protocol. 


3 Constructing Efficient Multi-party Computation 
Protocols 

In this section we present a construction of efficient multi-party computation 
protocols in the secure-channels model, based on the framework with player- 
elimination from the previous section. We first formally define the considered 
model, then we describe the main (top-level) protocol and finally all required 
sub-protocols. 


3.1 Model 

We consider the well-known secure-channels model as used in [BGW88, CCD88]: 
The set V = {Pi, . . . , P n } of n players is connected by bilateral synchronous re- 
liable secure channels. Broadcast channels are not assumed to be available. The 
goal of the protocol is to compute an agreed function, specified as an arithmetic 
circuit over a finite field F with |F| > n. The number of inputs to the circuit 
is denoted by rij, the total number of outputs by n 0 , 2 the number of multipli- 
cation gates in the circuit by to, and the multiplicative depth by d (i.e., the 
maximal number of multiplication gates in any path of the circuit). To each 
player P* a unique public value a, £ F \ {0} is assigned. There are no further 
assumptions about the field. 3 The computation of the function must be secure 
with respect to a computationally unbounded adaptive active adversary who 
can corrupt up to t of the players, where t is a given threshold with t < n/3. 
Once a player is corrupted, the adversary can read all his information and can 
make the player misbehave arbitrarily. The security of our protocol is perfect, 
i.e. unconditional with zero failure probability. Formal definitions of security can 
be found in [CanOO] and in [MR98], and our protocol is secure for any of these 
definitions. 

To simplify the presentation, we adopt the following convention throughout 
the description of the protocols: Unless otherwise stated, whenever a player does 
not receive an expected message, or receives a malformed message, then a default 
value for this message is taken. 


2 n 0 specifies the total number of outputs — if the same value is given as output to 
several players, then this value is counted several times. 

3 This is in contrast to the protocol in [BGW88], where the existence of an n-th root 
of unity in F is assumed. 
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3.2 Main Protocol 

The protocol follows the classical approach for secure multi-party computation: 
First, each player secret-shares his input(s) among the players. Second, the cir- 
cuit is evaluated with the shared values. Third, the output value(s) are recon- 
structed towards the authorized players. 

According to the framework from Sect. 2, the circuit will be divided into seg- 
ments. If the evaluation of a segment fails, then some players are eliminated and 
the segment is repeated. Clearly, all players must be able to provide input and 
receive output, including players that are eliminated in the protocol evaluation 
(also honest players can be eliminated). This is achieved by using a resilient pro- 
tocol (which does not make use of the player-elimination technique) for sharing 
input values. No special measures are necessary for receiving output, because 
the secret-reconstruction protocol can also be performed towards an eliminated 
player (this player only receives values and cannot cause inconsistencies) . 

Sharing. The sharing is based on Shamir’s secret-sharing scheme [Sha79], ex- 
tended to a two-dimensional sharing [GHY87, BGW88, CCD88, RB89, FHM98]. 
Each value is shared among the players with a polynomial of degree t, and each 
share is again shared among the players with a polynomial of degree t. Formally, 
a value s is t-shared among the players if there exist degree- 1 polynomials / and 
/i, ...,/„ with s = /( 0) and /»( 0) = /(a*). The information held by player Pi is 
the share S{ = /(a,), the polynomial /,;, and the share-shares Sji = fj(ai) (for 

j = 1 ,tt). The polynomials in the sharing must be randomly chosen such 

that any set of t players does not obtain any information about the secret. 

Segmentation. Due to the linearity of the secret-sharing scheme, linear func- 
tions of shared values can be computed non-interactively, and hence only mul- 
tiplication gates are relevant for the communication complexity. In order to 
partition the circuit with m multiplication gates and multiplicative depth d into 
segments, we select an ordering of the gates which satisfies the partial order 
defined by the circuit (i.e., the inputs of the i-th gate must be provided by gates 
with index smaller than i). Every segment consists of a number of consecutive 
gates, subject to the following bounds: 

• the number m s of multiplication gates in each segment is at most \m/n\, 

• the multiplicative depth d s of each segment is at most \d/ri \. 

Furthermore, in every segment (except the last) at least one of the above bounds 
is satisfied with equality, hence the total number of segments is smaller than 2 n. 

At the end of every segment, fault detection is performed and agreement is 
reached on whether or not a fault occurred within the segment. If no fault oc- 
curred, then the computation of this segment is completed, and the next segment 
is started. If a fault is detected, then a (1, 2)-localization V c V will be found 
and eliminated (we will not consider other types of localizations), and the eval- 
uation of the segment is repeated. During the whole circuit evaluation, at most 
t segments fail. The described segmentation guarantees that the repeated com- 
putation will not dominate the overall protocol complexity, neither in terms of 



150 Martin Hirt, Ueli Maurer, and Bartosz Przydatek 


the number of communicated bits nor in terms of the number of communication 
rounds. 

Protocol Overview. Let V denote the set of players, where n = |P|, and 
t < n/ 3 the upper bound on the number of cheaters. During the computation, 
players can be eliminated, and then V will denote the set of remaining players, 
n' = \P'\, and t' the upper bound on the number of cheaters in this set. 

0. Set V := V, n' := n, t! := t. 

1. Input stage: Every player P providing input secret-shares his input value 
(Sect. 3.3). 

2. Computation stage (Sect. 3.4): For each segment of the circuit: 

2.1 For each gate in the segment (all gates at the same level can be evaluated 
in parallel): 

• If the gate is linear: Call the sub-protocol for the evaluation of linear 
functions. 

• If the gate is a multiplication gate: Call the multiplication sub- 
protocol. Players that have detected (or were notified about) a fault 
earlier in this segment use default shares. 

2.2 For each Pj 6 P', broadcast one bit according to whether or not a fault 
was observed (or notified) in the segment. If at least one player reports 
a fault, then the segment fault-localization procedure is invoked to find 
a (1, 2)-localization V, and V is set to V \ T>, t' is set to t! — 1, and 
step 2. is restarted (for the same segment). 

3. Output stage: For every player P that is to receive output: Call the sub- 
protocol for receiving output (Sect. 3.5). 

3.3 Input Stage 

In the input stage, every player secret-shares his input (s). Let V be the set 
of players, at most t of which are corrupted, and let P be a designated dealer 
holding a secret input s. The protocol for providing s as input is a variation of the 
verifiable secret-sharing (VSS) protocol of Ben-Or, Goldwasser and Wigderson 
[BGW88]: 

1. Distribution. The dealer P selects at random a polynomial p(x,y) = 
Y?i,j=o r ij xl y^ °f degree t in both variables, where p(0, 0) = s, and sends 
the polynomials fi(x) = p(x,ati ) and fi(y) = p(oti,y ) to player Pj (for 
i = 1, . . . ,n). 4 This implicitly defines the polynomial f(x) = p( 0,x). 

2. Consistency checks. Each pair of players P, , P 3 (for 1 <i,j< n) checks 

whether = fj{a.i). For this, Pj sends fi(aj) to Pj, and Pj checks 

whether the received value is equal to /j(a,). 

4 An efficiency gain of a factor 2 can be achieved by setting n j = r ri , and hence 
w fi(x). One can prove that privacy is not violated by this technique. See 
[CDM00] for more details. 
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3. Complaint stage. Every player broadcasts a message (containing one bit) 
indicating whether all consistency checks were successful or at least one test 
failed. In case of a complaint, the player afterwards broadcasts a bit-vector, 
where the j-th bit indicates whether or not the player has observed an incon- 
sistency with player Pj. The dealer answers the complaints by broadcasting 
the corresponding correct values. 

4. Accusation stage. If a player Pj observes more than t inconsistencies or 
discovers that the dealer’s answers contradict his own values, he broadcasts 
an accusation. In such a case the dealer broadcasts both polynomials fj (x) 
and fj{y). The published polynomials can cause some new inconsistencies 
with the values held by some other players, who react again with accusa- 
tions, and so on. 5 If more than t players have accused, or if the dealer did 
not answer all the complaints and accusations, a default sharing (e.g., the 
constant sharing of 0) is taken. 

In the protocol of [BGW88], the share of player Pj is % = /(a*) = /,(0), 
and the second dimension of the sharing is not used. In our scheme, the share 
of player Pj is the polynomial /j (and in particular Sj = /j(0)), as well as the 
share-shares s 3l = = p(a{, a 3 ) (for j = 1 , . . . , n). 

In order to analyze the security of this secret-sharing protocol we distinguish 
two cases: (a) If the dealer is honest, all shares and share-shares of honest players 
will be consistent, and only values held by corrupted players can be published. No 
honest player will accuse the dealer, hence there will be at most t accusations. 
Clearly, in this case the outcome will be a proper t-sharing. (b) If the dealer 
is corrupted, then at the end of the protocol (if there were not more than t 
accusations) the cross-over points of all honest players are consistent, and their 
share-shares uniquely define a two-dimensional polynomial p'(x,y), satisfying 
the conditions for a proper t-sharing. If there were more than t accusations, 
then at least one of the accusations origins from an honest player, and indeed 
the dealer is cheating. In this case it is legitimate to take some default value as 
the dealer’s secret. 


3.4 Computation Stage 

The computation of the circuit proceeds segment by segment. We denote the 
current set of players with V , where n' = P' |, and the current upper bound 
on the number of cheaters in V with t! . Without loss of generality, we assume 
that V = (Pi, .... P n '}- A segment is computed as follows: First, the gates 
of the segment are computed. Linear functions can be computed robustly (as 
no communication is needed). In contrast, the computation of multiplication 
gates is private and verifiable, but not robust. At the end of each multiplication 
sub-protocol, the (honest) players inform each other in a weak fault detection 

5 One can show that two rounds of accusations are sufficient to reach agreement. After 
two rounds of accusations, either the total number of accusations exceeds t, or all 
accusations in the second round originate from corrupted players. 
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procedure whether or not they observed an inconsistency. If a player observed 
such an inconsistency, or was informed about one in weak fault detection, then 
he continues the computation of the segment with default values independent of 
the actual shares. At the end of each segment, fault detection is performed and, 
if necessary, fault localization, player elimination and fault correction. 


Linear Functions. Let £ be a linear function, and assume that the values 
o, 6, . . . are f-shared with polynomials /, /i , g,gi, . . ■ ,g n >, ■ ■ ■ , respec- 
tively. Due to the linearity of £, the polynomials h = C(f. g,. . ■) and hi = 
C(fi,gi, ■ ■ •) define a f-sharing of c = C(a, b , . . .). Hence, player P t can compute 
his share of c as hi = C{fi,gi , . . .) and Cji = C(dji, bjt , . . .) (for j = 1, . . . , n'). 
The privacy of this protocol is trivial (there is no communication), and the cor- 
rectness is due to the linearity of the sharing. 


Multiplication. The crucial sub-protocol for multiplication is a re-sharing pro- 
tocol. A re-sharing protocol is a protocol that takes a degree-7 sharing of a value 
s and generates an independent degree-5 sharing of s. This re-sharing is possible 
in a verifiable (but non-robust) manner if t' <n' — 7. Privacy can be guaranteed 
if t' < 7 and t' < 5. 

The protocol for computing the t-shared product c of two t-shared values 
a and b proceeds in three steps: First, both inputs a and b are re-shared with 
degree t' . Second, every player locally multiplies his respective shares and share- 
shares of a and b, resulting in a degree-2t / sharing of c. And third, this degree-2t / 
sharing of c is re-shared to a degree-f sharing. 

We have to show that the necessary (and sufficient) conditions for all re- 
sharings are satisfied: After a sequence of k (1, 2)-localizations and eliminations, 
we have n' = n — 2k and t' = t — k. The requirements for the re-sharing are 
t' <n' —t and t' <n' — 2 1', and both are satisfied for 3t < n. 

Re-sharing protocol. The goal of re-sharing is to transform a 7-sharing of a value 
s into a proper and independent 5-sharing of s, where t! < v! — 7, t' < 7 and 
t' < 6. The re-sharing sub-protocol can fail in the presence of malicious players. 
However, if it fails, all (honest) players will learn so, and at the end of the 
segment, agreement on whether or not such a fault occurred will be reached and 
the segment will be repeated if necessary. 

Roughly speaking, our re-sharing protocol works along the lines of degree re- 
duction of [BGW88, GRR98], but it is significantly more efficient, due to various 
techniques in the spirit of the player-elimination framework (cf. Sect. 2). 

Assume that s is 7-shared with the polynomials / and /1 , and player 

Pi holds the polynomial fi(x) (hence his share .s, = /)((])), and his share-shares 
Sji = fj( a i ) (for j = I , n'). The value s can be expressed as a linear com- 
bination (Lagrange interpolation) of the values si,...,s n > [BGW88, GRR98]. 
Therefore, once the values si , . . . , s n > are <5-shared, the required 5-sharing of s 
can be computed by a distributed evaluation of the appropriate linear function 
(as described in Sect. 3.4). Thus, the re-sharing can be performed as follows: 
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Every player (5-shares his share Sj, proves that the shared value is indeed .s,, and 
computes his degree-^ share of s as a linear combination of the received shares 
of Si, . . . , S n i. 

We describe the steps in more detail: 

1. Non-robust VSS. Every player Pi shares his share s t with the degree- 
S polynomials ft®, /i® , . . . , ft® in a non-robust but verifiable manner. The 
protocol works like the first two steps of the VSS in the input stage (Sect. 3.3): 

a) Pi selects at random a polynomial |5® (x, y) of degree 6 in both variables, 
where p®(0,0) = Sj, and sends the polynomials ft® (a:) = p®(x, aj) 
and ft®(g) = p®(aq,t/) to player Pj (for j = 1 ,n'). This implicitly 
defines the polynomial ft® (a;) = p®( 0,x). 

b) Each pair of players Pj , Pk (for 1 < j, k < n!) verifies the equality of 
their common shares. For this, Pj sends ft® (otk) to Pk, who then checks 
whether the received value is equal to h^\aj). 

2. Proving correctness. Every player Pi proves that ft®{ 0) = /,(0) by 
showing that the free coefficient of the polynomial ft® (a;) — fi{x) is equal to 
zero. This is done in two steps: 

a) Let y = max(7, <5). Pj computes the polynomial g® |>r) := (ft ®( x ) — 
fi{x))/x (whose degree is at most y— 1), and distributes the shares on g® 
among the players. For this purpose the non-robust VSS protocol from 
Step 1 is used, where the corresponding two-dimensional polynomial, say 
q^>{x,y), is chosen randomly, but such that g®( 0,x) = g®(: r). 

b) Every player Pk checks whether akg^i<*k) = ~ fi{otk)- 

3. Weak fault detection. Every player sends to every other player one bit 
indicating whether or not any of his consistency checks in Steps 1, 2a and 
2b, have failed. 

4. Lagrange interpolation. Every player Pj who has neither detected nor 

was informed about any inconsistencies computes his degree-^ share of s as 
a linear combination of his shares of s i .s,,/ . 

It is easy to see (using basic algebra), that if no player has reported inconsis- 
tencies during the weak fault detection, then the result of re-sharing is a proper 
(5-sharing of s. Otherwise, if at least one (honest) player has sent or received a 
bit indicating inconsistencies, it will be possible to identify a (1, 2)-localization. 

Fault Detection. At the end of the segment, every player Pj broadcasts one 
bit indicating whether or not an inconsistency was observed by or reported to 
Pi in one of the re-sharing protocols in the segment. If all players broadcast a 
confirmation (i.e., no inconsistency was observed), then the computation of the 
segment is completed and the next segment can be started. If at least one player 
broadcasts a complaint, then fault localization is invoked. 

Fault Localization. The goal of fault-localization is to identify a (1, 2)-locali- 
zation V, i.e. a set V c V containing two players, at least one of them being 
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corrupted. These players will then be eliminated from the protocol, and hence 
fault localization is invoked at most t times. 

The two players to be eliminated are selected from the players involved in 
the first fault that occurred in the current segment. In order to determine the 
first fault, every player who complained during fault detection broadcasts the 
index (relative to the segment) of the re-sharing protocol, in which for the first 
time an inconsistency occurred, together with a number denoting the step of 
the re-sharing protocol in which the fault was detected (Step 1, 2a or 2b), or 
reported (Step 3). Among all the broadcast indices the smallest one is selected. 
Let Pfc denote the player who complained about the selected re-sharing protocol. 6 
The method of determining the (1, 2)-localization T> depends on the step of 
the re-sharing protocol in which the first fault appeared. Four cases must be 
distinguished: 

(i) The first fault is in Step 1, i.e. for some i and j, the value h^\ak) sent by 
Pj differs from 

Pk broadcasts i, j, and (ay). On this request, Pj broadcasts fi'p (a*,), and 
Pi broadcasts p W (a k . ay). Given these three values, the set D is determined 
as follows: 

- If h%\aj) = hf{oc k ), then V := {Pj,P k }, else 

- if p^\a k ,aj) ^ h k \atj), then V {Pi,P k }, else 

- p^(a k ,aj) ± hf\a k ), and V := {Pi,Pj}. 

(ii) The first fault is in Step 2a: analogously to the case (i). 

(iii) The first fault is in Step 2b, i.e., for some i the check a k g W ( a k ) = fcW (a*,) — 
fi{a k ) failed: 

According to P k , player Pi is cheating, so P k broadcasts the index i, and V 
is set to {Pi, P k }. 

(iv) The first fault is in Step 3, i.e., P k claims that in Step 3 some player reported 
a fault to him: 

Since no player admits the discovery of an inconsistency (as follows from 
the rule for choosing P k ), obviously either P k is lying or the player who 
reported the fault to him was malicious. P k broadcasts the index i of the 
player Pj who in Step 3 reported the fault to him, and V is set to {Pj, P k }. 

It is obvious that all players find the same set V, and that in each case at 
least one player in V is corrupted, hence V is a (1, 2)-localization. 


Player Elimination. All players set V to V \ V, and reduce t’ to f — 1. 

Fault Correction. Fault correction is achieved by repeating the failed segment. 
Since after each failure at least one malicious player is eliminated, at most t 
segments will be repeated in a complete protocol run. 

6 If there are several such players, we consider those who have broadcast the smallest 
step-number, and from that group the player with the smallest index k is chosen. 
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3.5 Output Stage 

Let P be the designated player supposed to receive a value s that is f-shared 
among the players in V with the polynomials / and f \ ..... /„/ . First, every 
player Pj e V sends the polynomial fi(x) and the share-shares &u, . . . s n n to P. 
Then, P interpolates the secret s from the shares s* = /,((]) for all i where f t (x) 
is consistent with all but (at most) t' share-shares Sij. Note that this protocol 
needs neither error correction nor broadcast. 

The privacy of this protocol is obvious. The correctness can be proven as 
follows: At most t' players send a bad polynomial /' ^ /-,, and they will be 
inconsistent with at least n' — t — t' > t' share-shares. Hence, P will ignore bad 
polynomials and interpolate the correct secret s. 

4 Complexity Analysis 

In this section we analyze the communication complexity of the proposed multi- 
party computation protocol and compare it with the most efficient protocols 
known before. We focus on the case when an adversary is present and neglect 
the efficiency gain that some protocols (e.g., [FY92]) achieve when no fault at 
all occurs. 

The communication complexity of a protocol is characterized by two quan- 
tities: the message complexity (MC, the total number of bits transmitted by 
all players during the protocol), and the round complexity (RC, the number of 
communication rounds of the protocol). 

When analyzing the communication complexity of a multi-party protocol, 
one must also include the communication costs for simulating the broadcast 
channels. For most protocols in the literature (but not for ours), these costs are 
dominating the overall complexity of the protocol. We consider two different 
types of broadcast sub-protocols: Protocols with optimal message complexity 
( <D(n 2 ), but 0(n) rounds), e.g., [BGP89, CW89, DR85, HH91], and protocols 
with optimal round complexity (0( 1), but 0(n 4 ) messages), e.g., [FM88]. So 
far, no broadcast protocol with 0(1) rounds and 0(n 2 ) messages is known. In 
the cryptographic setting, such a protocol is known for a model where a trusted 
dealer is available in the set-up phase [CKSOO], but this requirement contradicts 
the main purpose of of secure multi-party computation, namely getting rid of 
the need for a trusted party. There exist also various techniques which improve 
the efficiency of (stand-alone) protocols for Byzantine agreement, e.g. “early 
stopping” [DRS82]. However, they lead to “staggered termination”, and it is 
unclear how and whether at all they are applicable for multi-party computation 
protocols. 

4.1 Complexity of the New Protocol 

The communication complexity of the proposed MPC protocol (cf. Sect. 3) is 
stated in the following theorem. This result is achieved by employing a Byzantine 
agreement protocol with optimal message complexity [BGP89, CW89]. 
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Theorem 1. The protocol of Sect. 3 allows a set of n players, with at most t < 
n/3 of them being corrupted, to securely compute a function over a finite field F, 
using 0(d+n 2 ) communication rounds and with total communication complexity 
0{n I n i + rnn 3 + n 0 n 2 ) field elements, where n, and n 0 denote the number of 
inputs and outputs, respectively, m denotes the number of multiplications and 
d the multiplicative depth of the circuit computing the function. 

The detailed analysis of this protocol is omitted from this extended abstract. 
We give only a very brief overview. The VSS protocol for providing one input 
requires in the worst case 0(n 2 ) field elements to be broadcast, which results 
in 0(n 4 ) field elements per input when using the most efficient broadcast pro- 
tocols [BGP89, CW89]. Each multiplication requires each player to secret-share 
(with the non-robust VSS protocol) one element, which adds up to 0(n 3 ) field 
elements per multiplication, and hence 0(m s n 3 ) elements per segment with m s 
multiplication gates. Fault-detection requires 0(n) bits to be broadcast per seg- 
ment, and fault-localization requires 0(n log m s + log |F|) bits to be broadcast at 
the end of up to t segments. For the proposed segmentation with m s = \m/n ] 
and d s = \d/ri } , at most 2 n segments are computed, which results in a total mes- 
sage complexity of 0(mn 3 ) field elements. Only 0(n 2 ) field elements must be 
broadcast in total (independently of the circuit size!), which does not dominate 
the overall costs when m> n. The message complexity of secret reconstruction 
is 0(n 2 ) elements per output (broadcast is not needed). 

4.2 Comparison with Other Protocols 

The complexity of the new protocol is compared with the most efficient multi- 
party computation protocols for the unconditional model known before. In the 
sequel, we summarize the most important results. A more detailed complexity 
analysis can be found in [Prz99]. For simplicity we focus on the complexity 
of the evaluation of the circuit, and ignore the complexities of providing inputs 
and receiving inputs. The following table lists the message complexity (MC) and 
the round complexity (RC) of the most efficient protocols for the unconditional 
model, once when a broadcast protocol with optimal bit complexity is applied, 
and once when a broadcast protocol with optimal round complexity is applied. 
The second last row in the table refers to the protocol of [BGW88], where the 
“Rabin’s trick” [GRR98] for simpler multiplication is used. Note that the other 
technique for increasing the efficiency of [BGW88] suggested in the same paper, 
namely the efficient proof that a shared secret is indeed the product of two 
shared factors, is shown to be insecure (see App. A), and hence its impact on 
the complexity is not analyzed. 

For completeness, in Table 2 we also state the complexities of the best proto- 
col for the cryptographic model [GRR98], in which up to t < n/2 of the players 
can be corrupted, but the security of the protocol relies on unproven assump- 
tions. Subsequently to our work, a new protocol with cryptographic security was 
proposed in [CDNOO] , and its complexity is also listed in the table (where k de- 
notes the security parameter). In contrast to other protocols, here the function 
must be specified as a Boolean circuit, and the complexity is indicated in bits. 
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MPC protocol 

Broadcast protocol 

MC 

RC 

[BGW88] 

[FM88] 

[BGP89, CW89] 

0(mn 8 ) 

<D(mn 6 ) 

0(d) 

0{dn) 

[CCD88] 

[FM88] 

[BGP89, CW89] 

0(mn 9 ) 

0(mn 7 ) 

P(dn) 

0(dn 2 ) 

[Bea91a] 

[FM88] 

[BGP89, CW89] 

0(mn 8 ) 

<D(mn 6 ) 

0(d) 

0(d + n) 

[FY92] 

[FM88] 

[BGP89, CW89] 

0(mn 8 ) 

<D(mn 6 ) 

0(d) 

0(dn) 

[BGW88, GRR98] 

[FM88] 

[BGP89, CW89] 

0(mn 8 ) 

(D(mn 6 ) 

0(d) 

0(dn) 

this paper 

[BGP89, CW89] 

0(mn 3 ) 

0{d + n 2 ) 


Table 1 . Worst-case communication complexities of unconditional MPC proto- 
cols. 


MPC protocol 

Broadcast protocol 

MC 

RC 

[GRR98] 

[BGP89, CW89] 
[FM88] 

0(mn 4 ) 
<D(mn 6 ) 

0(dn) 

0(d) 

[CDNOO] 

[BGP89, CW89] 
[FM88] 

0(mn 3 k) 

0(mn 5 k) 

0(dn) 

0(d) 


Table 2. Worst-case communication complexities of cryptographic MPC proto- 
cols. 


5 Conclusions and Open Problems 

General secure multi-party computation protocols for evaluating an algebraic 
circuit will have important applications in distributed information systems. One 
major reason why such protocols are not yet widely used in practical applications 
is their hopeless inefficiency. In particular, they all make extensive use of a 
reliable broadcast channel, which in any reasonable application scenario is not 
available, and hence must be simulated by an expensive protocol among the 
players. 

In this paper we proposed a new framework for communication-efficient dis- 
tributed protocols, applied it to secure multi-party computations, resulting in a 
very efficient protocol. We stress that the message complexity (and possibly the 
round complexity), but not the computation complexity, are the bottlenecks in 
most distributed applications. 

There are several open problems to be solved to make general multi-party pro- 
tocols applicable in distributed systems. The main issue is definitely the model: 
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It is an open problem to generalize the framework to the asynchronous model, 
and to convert the used techniques accordingly. Furthermore, it might be inter- 
esting to generalize the results to non-threshold adversary structures [HMOO]. 
Finally, it is questionable whether comparable efficiency improvements can be 
achieved in a model with mobile adversaries, where player elimination seems not 
to be applicable. 
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A Security Flaw in [GRR98] 

In Appendix B ( “Computing Multiplication with Faults” ) of [GRR98] , 7 a very 
efficient sub-protocol was proposed for proving that for three shared values a, b, 
and c, the equation c= ab holds. This sub-protocol was intended to replace the 
(rather inefficient) verification sub-protocol (“tool (II)”) of [BGW88]. We show 
in the sequel that this new sub-protocol of [GRR98] is insecure. First we briefly 
summarize the protocol and then demonstrate the security flaw. 

Assume that player P has shared the values a, b, and c with polynomials f(x), 
g(x), and h(x) respectively, all of degree at most t. Let a*, 6.,, and c-, denote the 
corresponding shares of player P,, i = 1 ,... ,n. The protocol of [GRR98] works 
as follows: 

1. The dealer P shares (using “normal” secret sharing, not VSS) a random 
value with a polynomial r(x) of degree 2t — 1. The share r t of player Pi is 
r-i = r(aii). Furthermore, P computes and broadcasts the polynomial R(x) = 
x ■ r(x) + f(x) ■ g(x) — h(x). R(x) is a random polynomial of degree 2f, and 
if c = ab holds then R( 0) = 0. 

2. Every player P^ verifies that R(0) = 0 and R,{a t ) = a t ■ r-i + cq ■ b, — Ci. 
Pi broadcasts either “OK”, if both checks were successful, or otherwise a 
request to make his values public. 

3. If in the previous step some requests occurred (at most t), P broadcasts all 
the requested data. If there were more than t requests, P is clearly cheating. 

This protocol does not guarantee correctness, in contrast to what is claimed 
in the paper and was believed before. The dealer P can pass this verification 
even if c = ab does not hold: 

7 After the security problem was discovered, this appendix was deleted from the version 
available online. 
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1. Instead of selecting a random polynomial r(x) of degree 2f — 1, the dealer 
first selects a (random) polynomial R(x) of degree 2 1 with i?(0) = 0, then 
computes and distributes the “shares” n , . . . , r n as vy = a^ 1 (R(ai) — a* • + 
Cj). The dealer can do so because the degree of the polynomial r(x) cannot 
be verified. Finally, P broadcasts the polynomial R(x). 

Clearly, the checks in Step 2 of all players will succeed, and no (honest) player 
will complain. 
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Abstract. We introduce a novel approach to general secure multiparty 
computation that avoids the intensive use of verifiable secret sharing 
characterizing nearly all previous protocols in the literature. Instead, 
our scheme involves manipulation of ciphertexts for which the underly- 
ing private key is shared by participants in the computation. The benefits 
of this protocol include a high degree of conceptual and structural sim- 
plicity, low message complexity, and substantial flexibility with respect 
to input and output value formats. We refer to this new approach as mix 
and match. 

While the atomic operations in mix and match are logical operations, 
rather than full field operations as in previous approaches, the techniques 
we introduce are nonetheless highly practical for computations involving 
intensive bitwise manipulation. One application for which mix and match 
is particularly well suited is that of sealed-bid auctions. Thus, as another 
contribution in this paper, we present a practical, mix-and-match-based 
auction protocol that is fully private and non-interactive and may be 
readily adapted to a wide range of auction strategies. 


Key words: auction, general secure multiplayer computation, millionaires’ prob- 
lem, secure function evaluation 

1 Introduction 

Consider the following scenario. Alice and Bob have respective fortunes A and 
B. They wish to determine who is richer, i.e., whether A > B, but do not wish 
to reveal any additional information about their fortunes. This task is known as 
the millionaires’ problem [44]. It is a special instance of the more general setting 
in which Alice and Bob, or indeed a larger number of players, wish to compute 
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the output of a function / on secret inputs without revealing any additional 
information. 

Alice and Bob can take one of several approaches. They might confide their 
fortunes to a trusted third party charged with the task of determining honestly 
whether A > B and not leaking any information to either party. Alternatively, 
they might construct a piece of trusted hardware for the same purpose. It has 
been known for some time, however, that Alice and Bob can in fact simulate a 
trusted party or device in such a way as to enable secure computation of general 
functions [44,27]. Computation of this sort involving two or more players is 
known as secure multiparty computation. For general functions / it is known as 
general secure multiparty computation or secure function evaluation. 

All of the current approaches to general secure multiparty computation rely 
on the simulation of a circuit Cf for the function / of interest. This circuit is 
typically viewed as being composed of gates implementing two operators, such 
as + (modular addition) and x (modular multiplication), that together allow 
for the realization of an arbitrary computable function. In nearly every protocol 
in the literature with robustness against active adversaries, the lynchpin is a 
cryptographic primitive known as verifiable secret sharing (VSS), introduced in 
[14]. Players distribute their inputs to Cf by dealing shares to other players 
through a VSS protocol. At any stage in the computation, concealed values are 
held distributively. To simulate a + gate, players perform local addition of their 
shares. To simulate a x gate, they perform an interactive protocol involving 
multiplication of pairs of shares held by different players. 

In this paper, we investigate a different approach to secure function evalua- 
tion. Rather than employing multi-player sharing of individual inputs or inter- 
mediate computational results, we consider a representation of these values as 
ciphertexts. We concentrate in particular in this paper on use of the El Gamal 
cryptosystem [24], although use of other semantically secure cryptosystems, such 
as Cramer-Shoup [18], is possible. Distribution of trust among the players in our 
scheme relies on sharing of a single, underlying private decryption key. Play- 
ers perform the operations required by the computation using well established 
techniques for distributed manipulation of El Gamal ciphertexts. 

A brief sketch of our approach is as follows. Having agreed upon a function / 
and a circuit representation Cf, the players provide El Gamal ciphertexts of their 
input bits. Gates in Cf are each represented by a boolean function, such as AND 
or NOT (although others are possible). For each gate, the players construct a 
logical table corresponding to the function computed by the gate, the entries in 
this table consisting of El Gamal ciphertexts. In an initial blinding phase, the 
players use a primitive known as a mix network to blind and perform row-wise 
permutation of these tables in a distributed fashion. The basis of the subsequent 
computation phase, which we refer to as matching, is a primitive called a plain- 
text equality test (VST). The VST primitive enables players to determine in a 
distributed fashion whether two given ciphertexts represent the same plaintext. 
Players evaluate the circuit Cf iteratively, using VST to perform table lookups. 
For each gate, they compare ciphertext input values to ciphertext values in the 
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corresponding blinded logical table. When the correct row in the table is found, 
the players obtain an output ciphertext from the third column. Due to the use 
of blinded permutation, they do not learn the plaintext corresponding to the 
output value. The output ciphertext is used as input to the next gate (table). 
We refer to this approach as mix-and-match computation. 


1.1 Previous Work 

The idea of performing secure computation by means of blinded table lookups 
was essentially the basis for the original proposal of Yao [44], whose two-player 
scheme was predicated on the hardness of factoring. Goldreich, Micali, and 
Wigderson [27] generalized the basis of Yao’s scheme to use of any one-way 
trapdoor permutation. The idea behind both approaches in their two-party in- 
stantiations is as follows. Alice constructs a circuit Cf using boolean gates rep- 
resented as randomly permuted, blinded logical tables. Inputs to a gate (table) 
are randomly generated tags representing different bit values. Each set of tags, 
representing a given set of inputs to a table, serves as a decryption key for a 
particular row of the table, and thus a particular output tag for the gate. By 
means of a 1-2 oblivious transfer protocol, Alice blindly transfers to Bob the 
tags representing his input values for the circuit, and also sends Bob her table 
representation of Cf. For each gate in Cf, Bob uses the input tags to decrypt 
output tags representing the corresponding gate output. He is thereby able to 
evaluate Cf without further interaction with Alice. See [27] for further details. 

Chaum, Damgard, and van de Graaf [12] extend the notion of blinded table 
mixing and lookup to a multiparty scenario. In their scheme, each player in turn 
blinds the logical table for a given gate. The basis of this scheme is a homomor- 
phic commitment scheme that enables one player to alter the commitment of 
another without knowing the correct decommitment. 1 Players provide cut-and- 
choose proofs of correct behavior. The security of the scheme is unconditional 
for one player, and for the others is based on the quadradic residuosity problem. 

The Chaum et al. scheme is not robust against an active adversary, in the 
sense that such an adversary may corrupt the computation irretrievably or force 
it to halt. To achieve robustness, the authors recommend incorporation of VSS 
to enable reconstruction of the commitments in their scheme. Similarly, since 
the introduction of secure multiparty computation in [27], such protocols have 
generally employed VSS as a means of enforcing robustness for the computation 
on each gate. Ben-Or, Goldwasser, and Widgerson [4] and Chaum, Crepeaud, 
and Damgard [11] introduced the first protocols enabling security against an 
active adversary in the non-cryptographic model, that is, one in which players 
are assumed to have unbounded computing power, but cannot eavesdrop on 
honest players. Their approach has loosely formed the basis of the majority of 
subsequent work, even some of the most recent and efficient constructions such 
as [15,26]. 

1 Manipulation of homomorphic commitments by n players here in fact yields a kind 
of (n, n)-VSS protocol in this scheme. 
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Other work related to our own is that of Franklin and Haber [22]. As we 
do here, they propose a secure multiparty computation method dependent on 
manipulation of ciphertexts. In their scheme, the underlying encryption scheme 
is a special variant of El Gamal. The Franklin and Haber system, however, is 
only secure against passive adversaries. 

While drawing on table-based approaches to secure function evaluation, and 
particularly on the frameworks presented in [12,22], mix and match offers robust- 
ness without the use of VSS on input values or sharing of intermediate values. 
The mix-and-match approach consequently achieves several benefits unavailable 
in conventional VSS-based approaches: 

1. Mix and match is conceptually very simple. 

2. The message complexity for mix and match is quite low. In the random 
oracle model, the broadcast message complexity is 0(nN) group elements, 
where n is the number of players and N, the number of gates in the circuit. 

3. Sharing in mix and match occurs only at the level of a decryption key, and 
not for input or intermediate computational values. 

This last property means that mix and match has the advantage of natural 
flexibility in terms of both input and output formats and player participation. 
For example, players contributing inputs need not even know what players or how 
many will be performing the computation, and need not themselves participate. 
Outputs may be made to take the form of ciphertexts under an arbitrary key, 
with no additional protocol overhead. We note that a similar property emerges 
in independent work by Cramer, Damgard, and Nielsen [16] . 

A drawback to mix and match is the fact that the atomic computational unit 
is the boolean formula, rather than the field operations employed in secure mul- 
tiparty computation schemes based on [4]. For many functions, therefore, such 
as threshold signature computation [25], it is probably substantially less efficient 
than, e.g., [30]. For functions involving intensive bitwise manipulations, however, 
mix and match is highly competitive. A good example is the millionaires’ prob- 
lem, or natural multi-player extensions such as auction protocols. To highlight 
this strength, we present a flexible non-interactive auction protocol in this pa- 
per based on mix and match. This protocol, as we show, has several practical 
advantages over state-of-the-art proposals for non-interactive secure auctions. 

1.2 Organization 

We present model details and definitions in section 2. We describe our mix- 
and-match scheme in section 3. In section 4, we briefly discuss the literature on 
auction protocols and outline a non-interactive, fully private auction protocol 
based on mix and match. 


2 Model and Building Blocks 

In elaborating mix and match, we consider the cryptographic model of secure 
multiparty computation. This involves n players, Pi, P 2 , . . . , P„, who are as- 



166 Markus Jakobsson and Ari Juels 


sumed to share an authenticated broadcast channel, and an adversary with re- 
sources polynomially bounded in all security parameters. We consider an adver- 
sary who may corrupt up to t < n/2 of these players in an active fashion, i.e., 
the adversary gains access to their private information, and may govern their 
behavior in an arbitrary fashion. We assume that the adversary is static, that 
is, she must choose in advance which players she wishes to corrupt. Our results 
can be extended straightforwardly to more complex adversarial structures. We 
can achieve security in the mix-and-match protocol reducible to the Decision 
Diffie-Hellman (DDH) assumption (see, e.g., [35]) on the group Q over which 
the computation takes place. To achieve the best possible efficiency and sim- 
plicity here, however, we additionally invoke the random oracle model (see, e.g., 
[3]). The asymptotic costs presented in this paper assume malicious adversarial 
behavior. 


2.1 Building Blocks 

El Gamal cryptosystem: We employ the El Gamal cryptosystem [24] as the 
basis for our constructions. Encryption in the El Gamal cipher takes place over 
a group 2 Q q of prime order q. 

Let g be a generator of Q q . This generator is typically regarded as a system 
parameter, as it may correspond to multiple key pairs. A private encryption key 
consists of an integer x Gu Z q , where Gu denotes uniform random selection. 
The corresponding public key is defined to be y = g x . To encrypt a message 
m G Q q under public key y, we select a Gu Z q , and compute the ciphertext 
(a, ft) = ( my a ,g a ). To decrypt this ciphertext using the private key x , we com- 
pute a//J x = my a /(g a ) x = m. 

The El Gamal cryptosystem is semantically secure [28] under the Decision 
Diffie-Hellman (DDH) assumption over Q q . Informally, this means that an at- 
tacker who selects message pair (mo,rni) is unable to distinguish between en- 
cryptions of these two messages with probability significantly greater than 1/2, 
i.e., than a random guess. See [43] for details. 

Let (aoai, /?o/?i) = (ao,flo) ® (aq,/?i). Another useful property of the El 
Gamal cryptosystem is the fact that it possesses a homomorphism under the 
operator ®. In particular, observe that if (ao,/3o) and (aq,/3i) represent cipher- 
texts corresponding to plaintexts mo and mi respectively, then (ao, do)0(ai; /A) 
represents an encryption of the plaintext momi. A consequence of this homo- 
morphic property is that it is possible, using knowledge of the public key alone, 
to derive a random re-encryption (a',/3') of a given ciphertext (a, /3). This is 
accomplished by computing (a', ft') = (a, (3) ® (7, £), where (7, <J) represents an 
encryption of the plaintext value 1. It is possible to prove quite efficiently in 
zero-knowledge that (a!, f3') represents a valid re-encryption of (a, (3) using, e.g., 

2 Most commonly, we let p = 2q + 1, and we let Q q be the set of quadratic residues 
in Z*. In this setting, plaintexts not in Q q can be mapped onto Q q by appropriate 
forcing of the LeGendre symbol, e.g., through multiplication by a predetermined 
non-residue. 
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a variant of the Schnorr proof of knowledge protocol [17,42]. This proof may also 
be made non-interactive. See [6] for an overview. We let ( a,/3 ) = (a',/3') denote 
equivalence of underlying plaintexts for (a, /3) and (a',/3'), and (a, /3) ^ (a',/3') 
denote non-equivalence. 

The plaintext 0 has only a degenerate ciphertext in the El Gamal cryptosys- 
tem. We can represent it by some other plaintext in our protocol. 

Distributed decryption for El Gamal: A final useful property of the El Gamal 
cipher is that it may easily be converted into a threshold protocol. With use of 
a distributed key generation protocol such as that in [8] or [9], players generate 
a private key x that is held according to a t-out-of-n sharing scheme for some 
t < n/2. In particular, each player Pi obtains a private share x t consisting 
of the evaluation of a (f — l)-degree polynomial on, e.g., the value i over an 
appropriate field. To decrypt a ciphertext (a, /3), each player P, publishes the 
value /3j = fi Xi , along with a ZK proof of correct exponentiation, that is, a ZK 
proof of knowledge of z such that log g yt = log^/3, using, e.g., an appropriate 
variant on the protocol described in [13]. Players then compute /3 X = n*=i da“* 
on t correct shares {/3 0i }* =1 , where A Qi is the LaGrange coefficient for the af 1 
share. Assuming use of non-interactive proofs, with security consequently relying 
on the random oracle model, the broadcast round complexity of the protocol 
is 0(1), the message complexity is 0(n) group elements, and the per-player 
computational costs are O(n) exponentiations. We do not provide further details, 
but instead refer the reader to, e.g., [25], which describes a threshold DSS scheme 
with similar properties. 

Proof of knowledge of El Gamal plaintext: Given knowledge of the encryption 
exponent a of an El Gamal ciphertext (a, /3) = ( my a ,g a ), a player can prove 
knowledge of m in zero knowledge. This may be accomplished simply by means 
of an (honest- verifier) zero-knowledge proof of knowledge of a such that (3 = g a 
using, e.g., a variant of the Schnorr identification protocol [42] with a challenge 
carefully generated jointly by all servers. Soundness may then be based on the 
discrete log problem. The proof of knowledge may also be replaced with a non- 
interactive protocol through use of Fiat-Shamir techniques [20]. In this case, 
the ciphertext and accompanying proof may be regarded as a plaintext-aware 
encryption, and security depends additionally on use of the random oracle model. 
In this case, the broadcast round complexity of this protocol is 0(1), the message 
complexity is 0(1) group elements, and the per-player computational costs are 
0(1) exponentiations. 

Mix network (MAf): The second key tool in our construction is known as a 
mix network. This primitive for privacy was introduced by Chaum [10], and 
has recently received considerable attention, both in terms of implementation 
improvements [1,32,33,34,37] and a wide variety of ideas for applications, of 
which some examples may be found in [23,31,38,41]. Intuitively, a mix network is 
a multi-party protocol that takes as input a list of ciphertext items and from this 
produces a new, random list of ciphertext items such that there is a one-to-one 
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correspondence between the underlying plaintexts of input and output items. In 
other words, the underlying output plaintexts represent a random permutation of 
the underlying input plaintexts. The security of a mix network is characterized by 
the infeasibility for an adversary of determining which output items correspond 
to which input items. 

While there are many flavors of mix network, the type we employ is based 
on the El Gamal cipher, and works as follows. An El Gamal public key y 
is published for use by all players, who are assumed to share an authenti- 
cated broadcast channel (or, equivalently, a bulletin board). Some subset of 
n players known as mix servers share the corresponding private key accord- 
ing to a (t, n)-threshold scheme as described above. Input to the mix network 
consists of a sequence (ai,/3i), ( 0 : 2 , # 2 ), . . . , (atk,(3k) of El Gamal ciphertexts 
posted by the players to the bulletin board. 3 The mix servers perform a se- 
quence of distributed operations on these inputs. The output of the mix network 
is a random permutation and re-encryption of the inputs, namely a sequence 
( a a(i)’^a(i))’ ( a a( 2 )’/^r( 2 ))’ • • • > (°C(fc) > $£•(&)) where («£»#) represents a random 
re-encryption of (a,,/3,), and a is a random permutation on k elements. 

There are a number of variants on this basic primitive. For example, inputs 
to the mix network may be plaintexts, rather than ciphertexts; alternatively, 
the converse is possible. Note that these are really just special cases of what is 
described here: a plaintext is a degenerate form of ciphertext with encryption 
factor 0. Another important variant that we employ here is a mix network in 
which the input consists of a two-dimensional matrix of ciphertexts {(a,j, fiij)} 
for 1 < i < k and 1 < j < v. The output consists of a random, blinded permu- 
tation of the rows of this matrix, with no alteration of the order of underlying 
plaintexts within rows. In other words the output is {(o 4(*)4‘.’ f° r a ran- 

dom permutation a on k elements, where (aG, /3G) represents a re-encryption of 
We do not provide details on this extension of the basic mix network 
primitive, but simply note that it may be implemented with overhead linear in 
the number v of input columns. 

We can base the mix network M.N for the mix-and-match protocol on any 
of several constructions proposed in the literature. For small input sizes, the 
construction of Abe [2] or the similar construction of Jakobsson and Juels [33] 
is most efficient. Given that these schemes are publicly verifiable and possess 
easily provable security properties, we adopt either construction where we must 
make explicit reference to the properties of the mix network in mix and match. 

The mix networks described in [2] and [34] have the following properties. They 
are secure, that is, both private and robust, against a static, active adversary 
that corrupts t < n/2 mix servers. Let k be the number of input elements. 
With underlying interactive zero-knowledge proof protocols, i.e., those involving 
challenges carefully generated jointly by the servers, privacy for this protocol 

3 To prevent attacks involving one player posting a re-encryption of the ciphertext 
of another player, it is sometimes necessary for ciphertexts to be encrypted in a 
manner that is plaintext aware. This may be accomplished through, e.g., a ZK proof 
of knowledge of the discrete log of (3 for a ciphertext (a,/3) (see [32,43]). 
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may be reduced to the DDH assumption, and protocol robustness to the discrete 
log problem. By using non-interactive proof protocols under the Fiat-Shamir 
heuristic [20], we introduce additional dependence on the random oracle model 
for security. In this latter case, the asymptotic broadcast round complexity is 
O(n). The message complexity is 0(nk log k), while the total computational cost 
per server is 0(nk log k) exponentiations. 

Distributed plaintext equality test (VST): Let (a,/3) and ( a',f3 ') be El Gamal 
ciphertexts with respective underlying plaintexts mi and m2. In the VST proto- 
col, players jointly determine whether mi = m2, i.e., whether (a, (3) = (a!, ft). 

Consider the ciphertext (e , Q = ( a/a',/3/f3 '). If (a,/3) = (a',/?'), then (e , Q 
represents an encryption of the plaintext integer 1; otherwise, it represents an 
encryption of the quotient mi/ m2. The idea behind the VST protocol, therefore, 
is to have the parties blind and then decrypt (e, Q in such a way that the 
resulting output is 1 if (a,/3) = (a', ft), and a random integer otherwise. Player 
Pi blinds (e, C) by raising each element in the pair to a random exponent z. t £ 
Z q . This form of blinding leaves the plaintext intact if it is equal to 1 and 
randomizes it otherwise. The players then combine their blinded shares and 
perform a distributed decryption on the resulting ciphertext. The protocol is as 
follows: 

1. Each player P, selects z% £jj Z q . She publishes a Pedersen commitment [39] 
Ci = g Zi h Ti to Zi, where h is a generator such that log fy h is unknown to any 
coalition of servers and r* £u Z q is selected by P t . 

2. Each player computes (e,,Ci) = (e z< , Q Zi ) and broadcasts it. 

3. Each player Pi proves to the other players that (e*, Q) is well formed relative 
to the commitment C\. In particular, she provides a zero- knowledge proof 
of knowledge of a pair ( ) £ Z q such that Ci = g Zi h ri and e t = e Zi and 
Ci = C 2i • This may be accomplished efficiently using appropriate variants on 
protocols elaborated in [13,17]. 

4. The players jointly decrypt (7, (5) = (n"=l XYi=i Ci)- 

5. If the resulting plaintext is 1, then the players conclude that (a, ft) = (a', ft). 
Otherwise, they conclude that (a, ft) ^ (a', ft). 

If any player is found to be deviating from the protocol, that player is excluded 
from further participation. 

Like the other building blocks presented here, VST is minimal knowledge 
under the DDH assumption. By “minimal knowledge”, we mean that players 
learn nothing beyond whether or not (a, ft) = (o', ft). To be more precise, even 
given malicious adversarial behavior (such as refusal of servers to participate 
in step 3), the distribution of protocol transcripts may be simulated by any 
entity that knows whether or not (a, ft) = (a’, ft). The simulated transcript 
is indistinguishable from a correct one under the DDH assumption. Under the 
discrete log problem, it is infeasible for any adversary controlling t <n/2 servers 
to cause a server to deviate from the protocol without detection. Assuming non- 
interactive proof protocols with security in the random oracle model, the protocol 



170 Markus Jakobsson and Ari Juels 


may be executed with 0(1) broadcast rounds, with a message complexity of O(n) 
group elements. The computational costs per player are 0 (n) exponentiations. 4 

The VET algorithm is the tool that enables us to perform comparisons be- 
tween encrypted values input to gates and encrypted values in blinded tables. 
In other words, it is the basic tool for lookups in blinded tables. 

3 The Mix and Match Protocol 

We are now ready to describe in detail our main protocol, the mix-and-match 
scheme. Recall that players must agree in advance on a representation of the 
target function / as a circuit C/. Let us suppose that this circuit consists of N 
gates, denoted by G\, G 2 , ■ ■ ■ , Gjv- We may assume, without loss of generality, 
that the numbering of gates is such that every gate G, + 1 has circuit depth at least 
that of Gj. Thus, evaluation of gate values may proceed in order of index number. 
For simplicity of presentation, we assume that all gates G, are binary, i.e., each 
gates has two inputs and one output, all of which are bit values. We also assume 
that the function / is binary, i.e., the output is a single bit. We let gate Gn 
be the output gate for /. We later give a brief description of how to extend the 
described scheme to non-binary gates and functions / quite straightforwardly. 

Let us denote the sequence of input bits of player i by Bj = {61, 62, • • • , bk}- 
Thus, the aim of the protocol is for players to compute f(Bi,B 2 , . . . , B n ) without 
revealing any additional information about any of B\, B 2 , . ■ . , B n . Let us denote 
the lookup table corresponding to gate G t by Tj. As we assume that gates are 
binary, table Tj contains three columns and four rows; the first two columns 
represent input bit values, and the third, the corresponding output bit. Table 1, 
for example, depicts the logical table corresponding to an AND gate. This is, of 
course, just a standard truth table. 


left 

right 

output 

0 

0 

0 

0 

1 

0 

1 

1 

0 

1 

0 

1 


Figure 1. Logical table representing an AND gate 

We let Ti[u,v] represent the value in row u and column v of table Tj. We 
denote by Tj the blinded, permuted table yielded by application of MM to Tj. 

4 Pedersen commitments are included here for technical reasons, namely to aid in secu- 
rity proofs for the protocol. Under the random oracle assumption on hash function 
h, we can have each player P t instead publish a commitment Cj = h(t t , Q), and 
subsequently have all players decommit. This reduces protocol costs by a significant 
constant factor. 
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We present our mix-and-match protocol in terms of four steps: 

1. Input protocol: Each player contributing input to / broadcasts El Gamal 
encryptions of her input bits Pj under the public key y. (Note that as the 
integer 0 has only a degenerate ciphertext in the El Gamal cryptosystem, it 
is convenient to represent a ’0’ bit by the plaintext g ~ 1 and a ’1’ bit by the 
plaintext g.) Players prove knowledge of the associated plaintexts. 

2. Mixing: Players apply the mix network M.N to the tables {T t } under public 
key y. Each player in turn mixes all tables. The output is the set of blinded 
tables Ti, T 2 , . . . , T N . 

3. Matching: For gates Gi, G 2 , ■ ■ ■ , Gn in order, the players do the follow- 
ing. Let li (left) and r, (right) be the ciphertext input values to gate G, . 
The players use VST in order to compare the pair (/,, r») with each row 
u in Ti until a match is found. For each row u, the players check whether 
V£T(li,Ti[u, 1]) = land P£T(r,,Tj[w, 2]) = 1. If both checks hold, then the 
players determine that the encrypted output value o t of gate G t is T, [u, 3] . 
The players do this for u = 1, 2, 3, and then 4 until a match is found. 

4. Output: After evaluating the last gate, Gn, the players obtain ojv, a ci- 
phertext encrypting /(ffy, B 2 , ■ ■ . , B n ). They jointly decrypt this ciphertext 
value to reveal the output of the function /. 

If a player has provided an invalid input ciphertext (a, j3), i.e., a ciphertext 
whose plaintext does not represent a bit, then the matching step as applied to 
that ciphertext will fail. In other words, no matching row will be found. This will 
reveal the invalidity of the input to participating players. An alternative strategy 
to identify invalid inputs is for players to provide validity proofs along with their 
inputs. Let (a, /3) be a ciphertext input in which a ’0’ bit is represented by the 
plaintext value g _1 , and a T’ bit is represented by the plaintext value g. Such 
a proof then takes the form of a proof of knowledge of ( z \ a/g = y z , i3 = g z ) or 
( z ' ag = y z , fJ = g z ). See [6,17] for descriptions of how to construct disjunctive 
and conjunctive proofs of knowledge efficiently. 

If players determine that a player Pj participating in the function evaluation 
protocol has cheated or failed, they expel him from the protocol, according to 
standard practice in the literature for threshold security protocols. They then 
rewind and recompute as necessary. Due to space limitations, we do not prove 
security results, but simply state that our mix-and-match construction meets 
the security requirements formalized by Canetti [7] for secure multiplayer pro- 
tocols. The interactive variant does this in a computational sense, i.e., there is 
an ideal process adversary capable of producing a simulation indistinguishable 
from a real one under the DDH assumption. The non-interactive variant depends 
additionally on use of the random oracle model. 

Extensions: As explained above, it is easy to extend the mix-and-match pro- 
tocol to non-binary gates G,. For G, to take as input a j-tuple of values, we 
construct T, such that columns 1,2 ,... ,j contain input values. (We increase the 
number of rows correspondingly to V .) On evaluating G,, we compare the input 
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tuple with the first j columns of a given row in T». For G, to yield multiple 
output values, it suffices to have the output column in T) carry multiple values. 
Input or output values can be made non-binary simply by formulating the en- 
tries in Tj appropriately. Additionally, the circuit for / can have multiple output 
gates, requiring simply that players perform multiple decryptions in the final 
step of the mix-and-match protocol. 

The set of players providing inputs to / in step 1 may be distinct or arbitrarily 
overlapping with the set of players performing the secure computation. We see 
this principle at work in our auction protocol in section 4. Similarly, since the set 
of players performing the mixing operation need have knowledge only of y and 
not x, this set may be disjoint from the set of players performing the matching. 

Remarks: 

— The multiplicative homomorphism property of the El Gamal cipher allows 
for secure multiplication of plaintext values at the cost of a single modular 
multiplication. This observation may often be exploited to reduce the cost of 
the protocol. For example, if the left and right input bits to an AND gate are 
ciphertexts li and r t respectively, each with plaintext value (j~ [ (representing 
a ’0’ bit) or g (representing aT bit), then the product tin will have one 
of three corresponding plaintexts, g~ 2 , 1, or g 2 . We can thus condense the 
AND gate to include only three rows. 

— One means of reducing the number of gates is to use the El Gamal variant 
proposed by Franklin and Haber [22] for use in secure multiparty compu- 
tation. This is an El Gamal cryptosystem in which -1 and 1 are both valid 
plaintexts. In consequence of the multiplicative homomorphism of El Gamal, 
it is possible for players to compute XOR non-interactively with this scheme. 

— It may easily be seen that the transcripts of all players’ proofs constitute a 
publicly verifiable proof of the correctness of the computation. 


3.1 Performance 

The full protocol in the random oracle model, i.e., with non-interactive proofs, 
may be achieved in 0{n + d) broadcast rounds, where d is the depth of the cir- 
cuit Cf. As players invoke MAT once per gate and VET a constant number of 
times per gate, the overall message complexity is 0(nN) group elements, while 
the computational complexity per player is likewise 0(nN) exponentiations. As 
noted above, mix and match can be implemented with use of interactive proofs 
using, e.g., techniques in [16], thereby eliminating the random oracle assump- 
tion as a security requirement at the expense of slightly higher protocol costs. 
Asymptotic costs in the non-interactive mix-and-match protocol are on a par 
with the best contemporaneous results, such as [16,30]. It is important to note, 
though, that these latter two results achieve full field operations for each gate. 
(The result in [16] is in the computational model with an assumed broadcast 
channel, and tolerates an adversary in control of any minority coalition. The 
scheme in [30] is in the private channels model with security for t < n/3.) 
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4 Auctions 

We now show how to apply mix and match to the construction of an auction 
protocol. We consider two, possibly overlapping sets of participants, m bidders, 
denoted by Ai, A 2 , . . . , A m , and n servers, denoted by T\ , P -2 , . . . , P n . All par- 
ticipants are assumed to share an authenticated broadcast channel. We achieve 
the following properties in our proposed scheme: 

1 . Non-interactivity: Bidders submit bids in a non-interactive fashion. That is, 
they broadcast their bids to the servers, but need not participate subse- 
quently in the auction protocol except to learn the outcome. 

2. Auction adaptability: Our auction protocol is readily adaptable with little 
overhead to a range of auction types, such as highest-price auctions and Vick- 
rey auctions, as well as to related non-auction procedures, such as polling. 

3. Full privacy: The only information revealed at the conclusion of the auction 
is that essential to public execution of resulting transactions. In a highest- 
price auction, for example, only the winning bid and the identity of the 
winning bidder are revealed. 

4. Robustness: An adversary consisting of a coalition of bidders or a minor- 
ity coalition of servers cannot disrupt the auction protocol or undermine 
the privacy guarantees. (The servers are simply players as described in the 
mix-and-match scheme above, so that the computation achieves the same 
robustness and security characteristics.) 

5. Multiple servers: Our auction protocol accommodates an arbitrary number 
of servers and a range of trust models on these servers. 

6. Public verifiability: The proof transcripts of the auction servers are publicly 
verifiable. That is, any player (and indeed, any external entity) can verify 
the correctness of the auction execution without trust in the auction servers. 

The principle drawback of our scheme is the intensive communication it requires 
among servers. Given that this may occur in a manner that is offline from the 
perspective of bidders, however, it does not pose a serious practical limitation. 

In principle, it is possible to achieve the above set of properties with use of 
any general secure multiparty computation technique and any threshold public- 
key cryptosystem. The most difficult property to achieve in practice is that of 
non-interactivity. One method is as follows. Given an appropriate circuit rep- 
resentation for the computation, bidders submit ciphertext bids which the the 
servers decompose into shares using their private shares of the ciphertext key. 
This approach, however, is rather inefficient, as the circuit must be very large. 

Another, more efficient approach to building a non-interactive protocol is for 
a bidder to make the sharing implicit in her bid. The bidder submits verifiable 
secret sharings of the component bits of her bid, along with ciphertexts of the 
shares. These ciphertexts may be encrypted under the keys of the individual 
servers, or under a shared key. In the latter case, the ciphertexts may be di- 
rectively decrypted , i.e., decrypted for a unique recipient. This approach, while 



174 Markus Jakobsson and Ari Juels 


fairly practical, is still cumbersome. The bidder must, at a minimum, know how 
many servers are participating, and, to achieve a practical scheme, must submit 
nk ciphertexts, where k is the number of bits composing her bid. Additionally, 
as noted above, we believe that mix and match is quite competitive with other 
secure function evaluation protocols for applications, like auctions, involving in- 
tensive bitwise manipulation. 

In consequence of the difficulties involved in deploying standard general se- 
cure function evaluation techniques, a number of secure protocols have been 
proposed in the literature that are specially tailored for auctions. One of the 
earliest of these is the scheme of Franklin and Reiter [21]. This scheme is not 
fully private, in the sense that it only ensures the confidentiality of bids until 
the end of the protocol (although the authors mention a fully private variant). 
Some more recent schemes include those of Harkavy, Tygar, and Kikuchi [29], 
Cachin [5], Sako [40], Di Crescenzo [19], and Naor, Pinkas, and Sumner [36]. The 
Harkavy et al. scheme is fully privacy preserving, but involves intensive bidder 
involvement [29], and is not easily adaptable to different auction types or to 
related protocols. The scheme of Cachin involves two servers, and requires some 
communication among bidders. At the end of the protocol, a list of bidders is 
obtained, but not the bid amounts. The scheme of Di Crescenzo [19] requires no 
communication between bidders, and has low round complexity, but involves the 
participation of only a single server. The scheme of Sako [40] works on a differ- 
ent principle from these others, involving opening of bids in what is effectively a 
privacy-preserving Dutch-style auction. While efficient for small auctions, it in- 
volves costs linear in the range of possible bids, and does not allow for extension 
to second-price and other auction types. The scheme of Naor et al. [36] is the 
first to seek to achieve the first four auction properties enumerated above. 5 

4.1 A Mix-and-Match Auction Protocol 

We now present our auction protocol, achieving all six of the properties enu- 
merated above. We describe an architecture for executing highest-bid auctions, 
although variants such as Vickrey auctions may be achieved through simple mod- 
ifications imposing minimal additional overhead. Let Sj = b\ k \b\ k 1 \...,b \ ^ 
be a bitwise representation of the bid R* of bidder A t . Let E[b] represent the 
El Gamal encryption of a given bit b. To avoid cumbersome details, we use 
somewhat loose notation here, and also do not consider the association of user 
identities with bids. Also for the sake of simplicity, we assume that there are no 
ties between bids. The protocol is as follows. 

1. Each bidder A, submits her bid consisting of El Gamal ciphertexts E[b\ k ^], 
E[b\ k ~^}, . . . , E[b^} along with proofs of knowledge of the associated plain- 
texts. Let E[Bi] denote the fc-tuple of ciphertexts representing the submitted 
bid of A. t . (This submission E[B,\ may be also digitally signed by A. t .) 

5 A security flaw which we do not have space to describe here, however, allows one of 
the servers to tamper with bids in this protocol. 
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2. For each pair of encrypted bids, players do the following: 

— Servers apply a mix-and-match-based millionaires’ problem protocol to 
pairs of encrypted bids (E[Bi\, E[Bj]). Let E[w] denote the ciphertext 
outcome of the comparison on the bid pair ( E t , Ej). Here w = 1 if bid i 
is higher and w = — 1 if bid j is higher. 6 

— Servers construct a two-row table T in which the first row contains the 
pair ( l.E’f/Jj]), and the second row contains the pair (1, E[Bj]). Thus 
each row contains k + 1 columns. Players mix T to obtain blinded table 
T. Thus T consists of rows (£[— 1], E[Bi]) and (E[l], E[Bj]) in a random 
order, where E[Bi] and E[Bj\ denote re-encryptions of ciphertexts E[B,] 
and E[Bj\. 

— Servers match w against the first column entries of T. When they find 
a match, they output the ciphertext bid in the corresponding row. This 
will be E[B t ] if w = I and E[Bj] if w = 1. 

3. Servers repeat the previous step following a tennis tournament format until 
only the ciphertext E[B t ] of a winning bid remains. 

4. Servers jointly decrypt the winning bid E[B t ]. 

Many variants of this basic scheme are possible. For example, to handle ties, 
players might execute a sorting algorithm based on pairwise comparisons, rather 
than a tennis tournament. In this case, we must enforce a secret, random tie- 
breaking mechanism for comparisons between equal bids. Once an ordered list 
is obtained, it suffices to compare bids from highest to lowest until all highest 
bids are identified. We leave further details to the reader. 

Assuming use of the publicly verifiable mix network proposed in [2,34] and 
correct server behavior, it may easily be seen that the asymptotic computational 
cost of the protocol described above is 0{knm) exponentiations per server, while 
the message complexity is also 0(knm). With the use of fast workstations, a 
crude estimate suggests that for m = 100, n = 5, and k = 20, i.e., for 100 
bidders, 5 servers, and bids ranging values ranging from 1 to just over 1,000,000, 
an auction may be conducted in under 3 minutes on fast workstations. 
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Abstract. This paper presents a secure and flexible Mix-net that has 
the following properties; it efficiently handles long plaintexts that exceed 
the modulus size of underlying public-key encryption as well as very 
short ones (length- flexible) , input ciphertext length is not impacted by 
the number of mix-servers ( length-invariant ), and its security in terms 
of anonymity is proven in a formal way ( provably secure). One can also 
add robustness i.e. it outputs correct results in the presence of corrupt 
servers. The security is proved in the random oracle model by showing a 
reduction from breaking the anonymity of our Mix-net to breaking a sort 
of indistinguishability of the underlying symmetric encryption scheme or 
solving the Decision Diffie-Hellman problem. 


Keywords: Mix-net, Hybrid Encryption, Anonymous Channel, Hybrid Mix 

1 Introduction 

1.1 Background 

Mix- net is a cryptographic primitive that provides anonymity to message senders. 
It takes a list of encrypted messages sent from a sufficient number of users and 
outputs a list of corresponding plaintexts sorted in random order so that it 
conceals the correspondence between each plaintext and user. Accordingly, it 
provides anonymity by hiding the individual user in the mass. Such a primitive 
was first introduced in [7] with a heuristic construction based on public key 
encryption. Since then, many works have improved its usability and security. 
In [18], Park, et al., constructed a scheme based on El Gamal encryption, where 
the encryption work and resulting ciphertext length were independent of the 
number of mix-servers. Robustness was addressed in [22,16,17,3,12,1,13,14,9]. 
Attacks are found in [20,19,16,9]. 

A promising application of Mix-net is electronic voting as it can convey any 
style of ballots, e.g., simple binary value of Yes/No voting and free-format ques- 
tionnaires, without changing the protocol. It is also useful in other applications 
such as anonymous payments and anonymous bids. 

To support wide availability, Mix-net should be able to efficiently handle mes- 
sages of various lengths that differ depending on the application. Some applica- 
tions where users anonymously send signatures issued by an authority (possibly 
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in a blind way) need Mix-net to convey signature-message pairs which require 
thousands of bits to be stored depending on the signature algorithm. Despite 
the need for handling long plaintexts, all previous Mix- nets limit messages to 
be shorter than a single block of ElGamal encryption or handle long messages 
in a heuristic way. For example, if ElGamal encryption is implemented over an 
elliptic curve for speed with typical settings, the messages are limited to just 160 
bits, which greatly limits applicability. Although one can handle long messages 
simply by dividing each message into some blocks and repeating the atomic mix 
processing a sufficient number of times, such an approach results in an inefficient 
scheme. 

Very short plaintexts are also dealt in an inefficient way as they are expanded 
to one block of underlying public-key encryption. For instance, ElGamal encryp- 
tion with 1024 bit modulus expands 1 bit message to 1024 + 1024 bits ciphertext. 
Hence, previous schemes incur higher communication costs than actually needed. 

A common approach that overcomes such shortcomings would be to use hy- 
brid encryption schemes that combine asymmetric key exchange and symmetric 
(common key) encryption. Although some provably secure hybrid encryption 
schemes are available in the literature, e.g., [10,23], applying those schemes does 
not immediately result in a secure and efficient Mix- net. It is not clear whether 
a secure hybrid encryption scheme provides security even in the context of Mix- 
net. Furthermore, a straightforward use of hybrid encryption in the original con- 
struction of Chaum [7] obviously extends the resulting input ciphertext linearly 
depending on the number of servers. 

1.2 Our Contribution 

This paper presents Mix-nets that realize, for the first time, the following prop- 
erties all at the same time. 

— Length-flexibility : The size of the public-key of Mix-net does not limit 
plaintext length. Plaintexts of any length are encrypted efficiently in terms 
of computation and resulting ciphertext length. 

— Length-invariance: The length of input ciphertexts is independent of the 
number of mix-servers. 

— Provable security: The security, in terms of anonymity, of our Mix-net 
can be proven in the random oracle model [5] assuming the intractability 
of the Decision Diffie-Hellman problem and the availability of a symmetric 
encryption scheme that ensures a sort of indistinguishability. 

Furthermore, we show an approach to add robustness so that correct output is 
obtained even if some of the users and servers behave maliciously. 

To achieve the above goals, we developed a novel hybrid encryption scheme 
with group decryption feature that suits Mix- net. Informally, it conceals the 
correspondence between inputs and outputs at each step of group decryption 
performed by each server. 

Our scheme saves communication cost for short messages as well as long 
ones since the encryption only extends the message with modulus length. For 
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instance, input ciphertext is 1024 + 1 bits long for a 1 bit message with 1024 
bit modulus. Computational cost of encryption grows linearly depending on the 
number of servers. We show, however, in section 7, that the cost can actually be 
smaller than that of previous standard schemes in many settings. 

We first introduce a basic scheme that highlights our key idea. It is secure 
only against honest but curious users and mix-servers. We then add security to 
withstand distrustful users (mix-servers are still honest but curious). If needed, 
one can add individual verifiability to these basic schemes in a simple stan- 
dard way in order to detect the deviation of servers with some probability. Such 
schemes would be applicable for applications where mix-servers are chosen care- 
fully and thus are more creditable than users. Such schemes would also be used 
in the applications, such as anonymous donation or payment, in which each user 
is not concerned about the input of other users and thus individual verifiability 
is sufficient. 

We then add robustness by following [9]. As in their scheme, the resulting 
Mix-net is robust in such a sense that it outputs a correct result and provides 
anonymity in the presence of corrupt servers, but does not provide universal 
verifiability. That is, only the servers can be convinced of the correctness of 
the results while no external parties can verify them. Such a model was also 
addressed in [12,13]. Accordingly, such scheme would be useful, for instance, for 
small scale applications where every user can act as a mix-server. 

2 Model 

2.1 Scenario 

There are n users and m mix-servers. Let 11, and M ; denote user i and server 
j, respectively. For simplicity, we assume that all communication between these 
participants are done via a bulletin board. The scenario consists of three phases. 
Preliminary phase: The maximum length of each plaintext, say £ msg is an- 
nounced to all users together with other application-dependent information. 
It is stressed that £ msg is independent of the public key size and is deter- 
mined by the Mix-net application. Theoretically, £ msg can be any positive 
integer bound by a polynomial of the security parameter. 

Casting phase: Each user encrypts his message and sends it to the bulletin 
board. Appropriate padding may be applied to the message before encryption 
so that the length of the message equals £ msg . 

Mixing phase: Let Lq be a list of all ciphertexts sent from the users. The first 
server takes Lo and outputs a list, L % , to the bulletin board. Similarly, server 
i takes Z,,_i and outputs L t . The final output of the mix- net is L rn . If all 
servers work correctly, L m is a list of plaintexts sorted in random-order. 

Let Lo be a list of messages obtained by correctly decrypting each cipher- 
text in Lq. The output of mix-net, L m , is said to be correct if there exists a 
permutation between Lo and L m . We say, informally, that the mix- net provides 
anonymity if it is intractable to distinguish two plain messages in L m that orig- 
inate from two honest users. 
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2.2 Adversaries 

We represent the power of an adversary by (t u ,t s )** where * is either A or P 
meaning active or passive , respectively. For instance, ( t u , t s ) AP - ad ver s ar y means 
that the adversary can thoroughly control up to t u users (i.e., active against 
users), and can obtain views from up to t s mix-servers (i.e., passive against 
servers). Note that adversaries that are passive against servers only attempt to 
violate anonymity as they can not control the servers so as to output incorrect 
results. We assume that the adversaries are static meaning that they decide, 
before the protocol begins, which users and servers they will attack. 

In this paper, we deal with the following types of adversaries. The types are 
listed in order of increasing strength. 

- (n — 2,m — l) pp -adversary; There are at least two unattacked users and an 
unattacked server. The adversary can obtain views from attacking users and 
servers but can not control either of them. Our basic scheme is safe against 
this type of adversary. 

- (n — 2, m — l) AP -adversary; The same as above, but can control corrupt users. 
Since the adversary can send any ciphertexts through the corrupt users and 
let the servers decrypt them, it can launch chosen ciphertext attacks. Our 
extended scheme withstands this type of adversary. 

- (n — 2, 0(- v /m)) AA -adversary; This type of adversary, which is the strongest 
of the three, attempts to violate anonymity or correctness. Our third scheme 
withstands such an adversary. 

3 The Basic Scheme 

Let Q be a discrete logarithm instance generator such that ( p,q,g ) G(l k ) 
where k is a security parameter, and p, q are primes that satisfy q\p — 1, and 
g is an element of Z* whose order is q. Let (g) denote a unique subgroup of 
Z* generated by g. All the subsequent arithmetic operations are performed in 
modulo p unless otherwise stated. 

(£,V,IC,M,C) denotes a symmetric encryption scheme where £,V are the 
encryption and decryption algorithms and IC,M,C are the spaces for keys, mes- 
sages, and ciphertexts, respectively. £k(x) denotes the result of encrypting plain- 
text x with common key K. Similarly, T>k(x) denotes the plaintext obtained by 
decrypting ciphertext x with key K. We assume that the symmetric encryption 
scheme is length-preserving, i.e., M. = C = {0, 1 }^ ms ». Let H be a hash function, 
H:(g)^JC. 

[Key generation] 

Server i randomly selects a pair of private keys tq, x, from Z* and computes 

hi := hf * ! . and 
Vi '■= h^, 
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E = £ Ki {£k 2 { r 

rls g)) 




Fig. 1. The basic hybrid Mix- net with two servers. The input to Server 1 is a 
list of ( G , E ) s made by each user. Server 1 outputs a list of randomly ordered 
(&". E')s. Server 2 finally outputs a list of randomly ordered plaintexts. £, V are 
the encryption and decryption algorithms. H is a hash function. 


for hi - 1 given from the previous server. (Let ho = g for the first server.) It then 
publishes y t and h t as a pair of public keys. 

[Encryption] 

User encrypts message msg e {0, l}^™’ 9 to ciphertext C as 
C := ( G,E) = (g r , £ Kl ■ ■ ■ £ Km (msg)) 

where r is randomly taken from Z*, and K\ K rn are session keys for sym- 

metric encryption £ and are computed as 

Ki:=H( yi r ). 


[Mix Decryption] 

For i = 1 to m, server i decrypts each ciphertext C = (G. E) in list L-, i to get 
C = ( G',E ') as 


G' := G a \ 

E' := V Ki (E) where K t = H{G' Xi ). 

(For the last server, let C' = E' .) Server i then selects a random permutation 
7Tj of {1, . . . , n} and puts the resulting ciphertexts into L. t in the random order 
defined by 7 r,. 

Figure 1 illustrates the above basic scheme with two servers. For each i, 
H(G ,X *) — if(/i™\ Xi ) = H(h XXi ) — H{yi r ) = K r holds. Thus, if every server 
works correctly, correct session keys are retrieved by each server and the correct 
plaintext is obtained. 
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4 Security of the Basic Scheme 

4.1 Definitions and Assumptions 

For p := ( p,q,g ) generated by G(l k ), we assume that all poly-time algorithms 
solve the following problems only with negligible (in k) advantage over randomly 
guessing. 

Definition 1. (Computational DifRe-Hellman Problem : CDHP) 
Input: (p,g a ,g b ) where a,b <— Z q . 

Output: g ab 

Definition 2. (Decision DifRe-Hellman Problem : DDHP) 

Input: (p,g a , Go, G\, Gb a ) where b <— {0, 1}, a <— Z q , Go, G\ <— (g). 

Output: b 


Definition 3. (Matching Diffie-Hellman Problem : MDHP) 

Input: (p,g a , Go, G\, £?&“, Gj a ) where b <— {0, 1}, a <— Z q , Go, G\ <— (g) 

Output: b 

It holds that CDHP > DDHP > MDHP, i.e., CDHP is the hardest to solve. 
The reverse relation between CDHP and DDHP is not known. For DDHP and 
MDHP, we can show that MDHP = DDHP following [11] or [21]. 

Next we define the Matching Find-Guess problem, which is closely related 
to the Find-Guess problem [10] which defines a sort of indistinguishability of 
symmetric encryption schemes. 

Definition 4. (Matching Find- Guess Problem : MFGP) 

Input: ( £ Ko (xo),^K 1 (xi),Xb,xi ) where xo, xi <— M, K 0 , JC, b<— {0,1}. 

Output: b 

We say that a symmetric encryption is secure in the sense of MFG if for all 
poly-time algorithms MFGP can be solved only with negligible advantage over 
1/2. Clearly, a one-time pad provides security in the sense of MFG. A stream 
cipher also provide the same security if its generator produces a pseudorandom 
bit-stream. For the sake of efficiency, we expect that existing carefully designed 
symmetric encryption schemes used in an appropriate mode of operation such 
as OFB provide such security as well. 

In our construction, session keys for symmetric encryption are derived by ap- 
plying hash function H to the results of the Diffie-Hellman key exchange. Namely, 
the Diffie-Hellman key exchange and the symmetric encryption are connected by 
hash function H. The security of our hybrid encryption scheme is related to the 
following problem. 
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Definition 5. (MFG-MDH Joint Problem) 

Input: (p, g\ g M 0 , G 0 ,M 1 , G 1 , M', G' b , M£, G$ 

Where a, x <— Z*, b <— {0, 1}, and 

for i = (0, 1), Gi {g), Mi <— M, G\ = M[ = V Ki (Mi) 
where = H{G'/). 

Output: b 

It will be shown that if H is an ideal hash function then solving the above 
joint problem is as hard as solving either MFGP or MDHP. 

4.2 Theorems and Proofs 

Theorem 1. The basic scheme provides anonymity in the presence of (n— 2, m— 
1 ) pp -adversary if DDHP and the MFGP are intractable. 

To support this theorem, we will prove the following lemmas. 

Lemma 1. If there exists an (n — 2, m— l) pp -adversary Ax P that breaks anony- 
mity in our Mix-net, then there exists machine Am that solves the MFG-MDH 
joint problem with probability non-negligibly better than 1/2. 

Lemma 2. If Am exists, then there exists machine Ad that solves, at least, 
either MFGP or MDHP with probability non-negligibly better than 1/2. 


Lemma 3. If Ad solves MDHP, then there exists a machine Ah that solves 
DDHP with probability non-negligibly better than 1/2. 

Here, we sketch the proof of Lemma 1 and put the proof of Lemma 2 in the 
Appendix. Lemma 3 can be proven in the same way as shown in [11], so its 
proof is omitted. 

Proof of Lemma 1 (sketch): Let Mj be the server that Ax P does not attack, 
i.e, the one whose view is not given to Ax P • Given an MFG-MDH joint problem 
instance (p, q, g,g a , g ax , M 0 , G 0 , Mi, Gi, M' b , G' b , Ml, GI), Am simulates the 
view of Ax P as follows. 

Simulating Keys: For server Mj, Am sets = g a and = g ax . For the keys 
of descending servers, M^ +1 . . . . , M m , Am follows the key generation procedure, 
i.e. randomly chooses private keys and computes corresponding public 

keys hi = = h/ 1 . For the keys of ascending servers, a little thought is 

needed. Let h^-i = g. Then, for i = £ — 1 to 1, Am chooses a,, Xi and computes 
hi-\ = /i^°“ , yi = hf/ . It finally sets p = (p, q, ho). 

Simulating Lists: Am puts (M b , G b ) and (Ml, GI) into random positions in 
L|. It then randomly generates other entries of L^ by taking M randomly from 
ciphertext space C and computing G as hf with randomly chosen r. Next, it 
selects random permutation and computes each entry of L{-i by encrypting 
the corresponding entry in L £. (This is possible because Am can retrieve the 



A Length-Invariant Hybrid Mix 185 


correct session key by computing y£.) For the two special entries of L^-i that 
correspond to (M b , G b ) and (Mg,G' b ), Am inserts (M 0 ,G 0 ) and (Mi,Gi). 

Now, the rest of ascending lists, 2 to L\, can be computed in order by 
encrypting the previous lists with the simulated private keys and randomly gen- 
erated permutations. (Note that those permutations are chosen so that the two 
special entries of correspond to the inputs from unattacked users Ui and 
U 2 .) Similarly, the rest of descending lists, L ^ + 1 to L m , can be computed by 
decrypting from L % to L m _ 1 in order. In the course of the above simulation, Am 
consults random oracle H to compute the session keys. 

Views of attacked users and servers can be appropriately simulated by using 
messages in L m and random choices of above simulation. Given the perfectly 
simulated views and lists, and free access to H, Ax P distinguishes two messages 
in L m originated from Ui and U 2 . From the result of Ax P , Am can derive the 
correspondence between two special positions in 1 and where the given 
instances were placed by using the permutation taken by the simulated servers, 
except for Mj. The success provability of Am is the same as that of Axp- □ 

5 Securing against Corrupt Users 

The key idea to add security against corrupt users is to make the underly- 
ing encryption non-malleable so that they cannot launch chosen ciphertext at- 
tacks. Although several efficient non-malleable encryption schemes are available 
(e.g. [24,25,8,6,2,10,23]), few meet our requirements. For our security proof, we 
need the underlying encryption scheme that provides plaintext awareness [4] and 
public verifiability. The latter functionality allows the validity of ciphertexts to 
be checked without using the decryption key. Our solution is based on [24]. 

Overall, the protocols are unchanged except that users attach a kind of proof 
and the mix-servers screen ciphertexts that come with invalid proofs. 

[Encryption] 

Message msg is encrypted to C = ( G , E) in the same way as in the basic scheme. 
Let G = g r . A proof of knowing r is defined as P := (e, z. G, G, rf, fj , rj) such that 

g := H 2 (G ),~9 := H 3 (G), 

G:=g r ,G:=g r , 

v~ g'-zn :=?f, 

e := H a (E, g, g, g, G, G, G, % ff, rj), 
z := <r — re mod q, 

where g <— Z q and H 2 ,H 3 , H 4 are hash functions. The output is (C, P). 

[Mix Decryption] 

Each server first verifies that 

e = H,(E, g, g, g, G, G, G, g*G e , 
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holds for each input ciphertext. Here g, g are computed as g := H^fG), g := 
H 3 (G), respectively. After they agree on the result of the verification, they put 
C, which came with valid P, into list Lq. The rest of the process is the same as 
that of the basic scheme. 

The benefit of P is that it makes the simulation of a server, say Mj, possible 
without knowing its private keys. The trick is as follows. We want to derive K £ 
and G' for each ciphertext in L%. Set g = H^{G) = y^" and g = H 3 (G ) = h^ v 
taking u and v randomly from Z q . It follows that valid P should contain G = 
g r = y^ u and G = g r = h^ v . Thus, we can compute H(G 1 / U ) = H(y £) = K £ 
and G x l v = = G' as expected. 

Theorem 2. The extended scheme provides anonymity in the presence of (n — 
2, to — T) kf -adversaries if DDHP and MFGP are intractable. 

To prove the above theorem, it is sufficient to prove the following lemma. 
The rest of the proof is supported by Lemma 2 and 3. 

Lemma 4. If there exists an (n — 2, to — 1) AP -adversary that breaks anonymity 
in our Mix-net, there exists machine that solves the MFG-MDH joint problem. 


Proof (sketch) The difference of this proof from that of Lemma 1 is twofold: 

- the proof-part P of the inputs from honest users has to be simulated, and 

- the simulator A M has to correctly decrypt the input ciphertexts coming from 
a corrupt user without knowing the private keys of the unattacked server. 

For the first point, we will use the standard simulation technique for the 
honest verifier public-coin zero-knowledge proofs by regarding H 4 as a random 
oracle. 

For the second point, we exploit the plaintext awareness (PA) of the under- 
lying encryption scheme. Am first computes L rn by using the PA property, and 
subsequently computes L m _i, ..., by encrypting each entry of the previous 
list with the simulated public keys. Am then computes Lq to L^-i by correctly 
performing decryption with the simulated decryption keys. In this way, the re- 
sulting I/£_ 1 and have the same relation as the one in the real execution with 
regard to the public key of unattacked server Mj. □ 

6 Securing against Corrupt Servers 

Robustness is added following [9]. Let us briefly introduce the main idea here 
and omit the details due to page restriction. 

To prevent corrupt servers from behaving maliciously, we group servers in 
such a way that every group contains at least one honest server, and at least one 
group consists only of honest servers. Such grouping is easily formed by placing 
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t + 1 servers in each of t + 1 groups when m = (t + l) 2 . Then, a representative 
member in each group executes mix decryption and all other members are given 
all private information (secret keys and random choices) used in mix decryption 
and monitor its behavior. Thus malicious deviation in each group is always 
detected by an honest member. Since there is at least one perfectly honest group, 
the group works correctly and outputs correct result. 


7 Efficiency Analysis 

Here, the computational cost of our basic scheme is compared to that of [18], 
which is one of the widely known schemes based on ElGamal encryption. It pro- 
vides the same level of security as our basic scheme. Their scheme is summarized 
as follows; Server i has private key x.- t and public key y, = g Xi . For each ElGa- 
mal ciphertext ( G,M ) = ( g r ,msg ■ y r ) where y = Vj, server i computes 
(' G M') = ( Gg *, Mg~ Xi y\) where ijj = Yl'jLt Vj- I n this scheme, q must be very 
large so that all potential messages are in the subgroup generated by g. Hence 
we assume |p| rts \q\. On the other hand, since our scheme needs randomness 
sufficient for generating symmetric keys, |q| can be much smaller than \p\. 

Table 1 shows the number of modular multiplications needed for encryption 
assuming the use of the binary method for exponentiation. For double-base and 
single-base exponentiation, we assume the simple table-lookup method described 
in [15] which costs j\q\ multiplications for a double-base exponentiation, and 
||g| for a single-base exponentiation. Although user’s computation is linear in 
the number of servers, for a typical setting, say \p\ = 1024 and \q\ = 160, our 
scheme enjoys lesser computation (excl. symmetric encryption) up to 11 servers. 

This advantage will be lost if one considers elliptic curve implementation 
where |p| Ss3 \q\. However, our scheme still saves computation if messages ex- 
ceeds 160 bits as symmetric encryption is 100 to 1000 times faster than scalar 
multiplication over an elliptic curve. 


Scheme 

User 

Each Server 

El Gamal [18] 

Ibl x 2 

zbl + Ibl 

Ours (basic) 

|l<7l X (m + l) 

Ikl x 2 


Table 1. Number of modular multiplications per message, m is number of 
servers. 


8 Open Problems 

The resulting robust scheme still has some issues that must be resolved. First, 
it is preferable to provide public verifiability so that anyone outside of the mix 
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can be convinced of the output. Second, optimal resiliency should be provided. 
At least, we need linear resiliency, i.e., 0{m), instead of 0(^/fn). 

Our security proof of Lemma 1 is for the case where honest users select 
messages uniformly from {0,1 }*”"». However, the users might be restricted to 
choose messages from exponentially sparse space (with length i msg ). In such a 
case, our simulation in the proof of Lemma 1 is not suitable. That is because the 
plain messages obtained by decrypting the given instance of the joint problem 
are not likely to fall into the exponentially sparse space. Since we assume that 
the underlying encryption scheme provides security equally for all messages, such 
restriction on message space is not likely to impact security. It remains, however, 
as an open problem to prove this in a formal way. 
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Appendix (Proof of Lemma 2) 

We first show that Am can be used to solve CDHP, or else can be used to solve 
either MFGP or MDHP. Let (M 0 , Mi . M' bp . M' bp ) be an instance of MFGP and 
(p, h, G 0 , Gi, G£ d , G| d ) be an instance of MDHP. Let y := IP for x <— Z q . 
The input to Am is a tuple such as : Input\ M := {p,y, h, (M 0 , Go), (Mi, Gi), 
Gb D ), (Mg , G| )}. Note that this may not be a correct instance of the 
joint problem as bo and may not be the same. Now we observe the behavior of 
Am given this input. Let q f be the maximum number of queries from Am to H . 
Here q^ is limited to a polynomial in the security parameter k. Let Q, denote 
the *-th query to H. If there exists i such that Q, = (G£ x ), then G£ x is the 
answer of CDHP [h,y,G% D \ ([h,y,G% D ]=[g a ,g ax ,g ar ], G% x = g axr ). Similarly, 
if there exists 4 such that Q, = (Gg x ), G^ x is the answer of CDHP [h, y. G^J. 
Define Vdh as Vdh = Pr[ B i e (1, . . . ,q f}, b j G (0, 1} ; Qi = (G“ x )]. As above, 
Am can be used to solve CDHP. 

Next we show that Am can be used to solve either MFGP or MDHP. Sup- 
pose that no such queries exist. In this case, the symmetric keys used in the 
MFGP are independent of the MDHP part because of the randomness of H; the 
adversary Ad makes those keys randomly without asking random oracle H. We 
next consider the relation between 6^ and bn- 
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1. The case of 

Input AM is perfectly indistinguishable from the correct input coming from 
the answer of random oracle H. So Am will output b as b = b with probability 
(> | + Ha), be., the same as the success probability of Axp 

2. The case of bF ^ bn- 

In this case, the distribution of Input Am is not correct. 

If Am does not stop within tA, b is randomly taken from {0,1}. Now, define 
Vf and Vd as follows. Vf = Pr[b = A bo], Vd = Pr\b = A bn]. 

If bF 7^ bjj, b must equal to either 1>f or bn- Hence, Vf + Vd = 1. 

Since both bF = bn and bF 7^ bn happen with probability |, we have 

Pr[b = b F ] = (1 - Vdh){\{\ + Ha) + = (1 - V D „){^^ + ff } (1) 

Pr[l = b D ] = (1 - V DH ){\{\ + ha) + } = (1 - V DH ){ + !f } (2) 

According to equation (8), either Vp or Vd is not less than Therefore, 
either Equation (1) or (2) is not negligible, or both. 

The common key used in MFGP is perfectly indistinguishable from the actual 
common key derived from the answer of random oracle H because it is decided 
randomly. So if the answer of the CDHP is not contained among the list of queries 
from Am to H, we can say that (M 0 , Mi, M,', MjJ and (Go, Gi,G' b , G' b ) have no 
relation to each other, though they affect each other through the common key 
in the actual input. Hence MFGP and MDHP are independent, and neither 
provides any help in solving the other. 

Based on the above observation, we construct Block Tl, Block T2, Block T3 
that solve CDHP, MFGP and MDHP, respectively. 

[Block Tl] 

1. Receive CDHP instance (p. g",g^). 

2. Make an MDHP instance as follows. 

- Choose 61 <— {0,1}. 

- y := g“, G' bi := g* GL. <- (g) 

- a «— Z*, g := g*, h := g“, G 0 := G$ ,G X := G§. 

-p - (p,q 5 9) 

3. Make an MFGP instance as M, <— M, K, <— /C, M' := V Ki (. Mj ) for i = 0, 1. 

4. Choose b <— {0, 1}. 

5. Choose I randomly from 1 < i < q F . 

6. Input the following to Am- 

Input ' Am = {p, h, y, (Mo, G 0 ), (M 1} Gi), (M', G'), (Ml, G' b )} 

7. If Am poses query to H, return a random value chosen from key space K. 
If it is the J-th query, output and stop. 

Observe that the simulation is perfect only if the correct answer of CDHP 
is Qi, or it is not asked to H (otherwise we have answered to the query with 
randomly chosen session key that may confuse Am)- 
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[Block T2] 

1 . Receive MFGP instance (M 0 , Mi , M[ )p , ) . 

2. Make an MDHP instance as follows. 

- (p,q,g) *- £(i K ) 

- a,x <— Z*, y := g ax , h := g a 

- ro,n <-Z* Go :=p r °,Gi := g r \ G' 0 :=h r °,G' 1 := h ri 

3. Choose bo <— {0, 1}. Next input the following to Am- 

Inputs = {p,/i, 2 /,(Mo,Go),(M 1 ,G 1 ),(M' bF ,G' bD ),(Mh,G^)} 

4. For all queries from Am to H, return a random value from 1C. 

5. Output b that Am outputs. 

[Block T3] 

1. Receive MDHP instance (p, h, G 0 ,Gi, G bD ,G| D ). 

2. Make an MFGP instance as Mi <— M, Ki <— /C, M[ := T> Ki (Mi) for i = 
{0,1}. 

3. Choose bF <— {0, 1}. Next input the following to Am- 

Input! a u = {p, h,y, (Mo, Go), 

4. For all queries from Am to H, return a random value from 1C. 

5. Output b that Am outputs. 

By using the above blocks, we construct Ad as follows. 

[Construction of Ad] 

1. Receive CDHP instance (p. g'Lg'*), MFGP instance (M 0 ,Mi,M bF ,Mg F ), 
and MDHP instance (p, h, G 0 , Gi, G br) , G| d ). 

2. Input each instance to the appropriate block. 

3. Output the result provided by each block as the answer to the corresponding 
problem. 

Now we discuss the success probability of Ad- 
Case 1 ( Vdh is not negligible.) 

The output from block T1 is a correct answer of CDHP if Qi = G' h , k>Sh y for 
b' = b\. This happens with probability which is not negligible. 

Case 2 (Vdh is negligible.) 

If Vf > 1/2, from Equation (1), we have 

Pr[l = b F ] = (1 - Vdh){ 

> (2 + _ (2 + > 2 + Pmfg 

for some pmfg which is not negligible. Otherwise, if Vdh > 1/2, we have 
Pr[b = bn] > \ + Pmfg for some pmfg which is not negligible. Thus, either 
MFGP or MDHP will be solved with an advantage that is not negligible. □ 



Attack for Flash MIX 


Masashi Mitomo* and Kaoru Kurosawa 

Tokyo Institute of Technology, 

2-12-1 O-okayama, Meguro-ku, Tokyo 152-8552, Japan 
mitomoSf lab . f uj itsu .co.jp, kurosawaOss . titech .ac.jp 


Abstract. A MIX net takes a list of ciphertexts (ci , • • • , cn) and outputs 
a permuted list of the plaintexts (mi,---,mjv) without revealing the 
relationship between (ci, • • • ,cjv) and (mi, • • • , ton). This paper shows 
that the Jakobsson’s flash MIX of PODC’99, which was believed to be 
the most efficient robust MIX net, is broken. The first MIX server can 
prevent computing the correct output with probability 1 in our attack. 
We also present a countermeasure for our attack. 


1 Introduction 

A MIX net takes a list of ciphertexts (ci, ■ ■ ■ , cjv) of users 1, • • • , N and outputs a 
permuted list of the plaintexts (mi, • • • , mjv) without revealing the relationship 
between (ci, • • • , cjv) and (mi, • • • , mjv). MIX nets have found many applications 
in anonymous communication [4], election schemes [4,7,13,15] and payment sys- 
tems [9]. 

The original MIX net was proposed by Chaum [4]. B.Pfitzmann and A.Pfitz- 
mann, however, showed an attack by a sender, which is more complicated than 
a simple repeated ciphertext attack [14]. 

Another problem of Chaum’s MIX net, based on RSA, is that the size of 
each ciphertext c, is very long proportionally to the number of MIX servers v. 
Park et al. overcame this problem by using ElGamal encryption scheme so that 
the size of each c, became independent of v [13]. Almost all MIX nets proposed 
after this paper are based on ElGamal encryption scheme. 

A general method to achieve verifiability is to have each MIX server to prove 
that he behaved correctly in zero knowledge. Sako and Kilian [15] showed such 
an efficient proof system for Park et al.’s MIX net. This scheme is the first 
universally verifiable MIX net. 

On the other hand, Ogata et al. showed the first robust MIX net which is also 
universally verifiable [12]. In this scheme, the computational cost of each MIX 
server is 0(ntN) and the external verifier’s cost is also O(ntN), where k is the 
security parameter and t denotes the number of malicious MIX servers. 

At Eurocrypt ’98, Abe showed a robust MIX net in which the external veri- 
fier’s cost is reduced to O(kN) [1], At the same time, Jakobsson showed a more 
efficient robust MIX net, called practical MIX [8] (but not universally verifiable). 

* He is currently working for Fujitsu Laboratories Ltd. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 192-204, 2000. 
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Instead of cut and choose methods, he introduced a method of so called repe- 
tition robustness. However, this scheme was recently broken by Desmedt and 
Kurosawa (DK attack) [5]. 

At PODC’99, Jakobsson proposed his second robust MIX net, called flash 
MIX [10]. This scheme is the most efficient robust MIX net known so far which 
satisfies v = 0(t), where v is the number of MIX servers. (The MIX net recently 
proposed by [5] requires v = 0(t 2 ).) In flash MIX, the computational cost of 
each MIX server is only 0(tN). The DK attack [5] for practical MIX [8] does 
not work for flash MIX directly because two dummy elements are inserted into 
the input list at the beginning of the protocol in flash MIX. Actually, Jakobsson 
proved the security of flash MIX in [10, Theorem 1 and Theorem 2]. 

In this paper, however, we show that flash MIX is broken. In our attack, the 
first MIX server can prevent computing the correct output with probability 1. 
This means that his security proof is wrong. Our attack is a variant of the DK 
attack for practical MIX [5]. We also present a countermeasure for our attack. 
It will be a further work to study about the security of our countermeasure. 

Flash MIX consists of the first re-encryption phase, the second re-encryption 
phase and the unblinding protocol in which each MIX server proves that he 
behaved correctly in the first and the second re-encryption phases. Now our 
malicious first MIX server executes the first re-encryption phase honestly, but 
cheats in the second re-encryption phase. He computes his invalid output lists 
from not only his input lists of the second re-encryption phase but also the input 
to the flash MIX itself so that no cheating is detected in the unblinding protocol. 

Other related works. Abe showed MIX nets which are efficient for small N 
[2,3]. In Abe’s MIX nets, the cost of each MIX server is 0(tNlog N). Jakobsson 
and Juels showed a MIX net which has the same advantage in [11]. In their MIX 
net, the cost of each MIX server is 0(tN log 2 N). Since these complexities grow 
faster in N than the other schemes, these schemes suit small N. 

On the other hand, Desmedt and Kurosawa showed an MIX net in which the 
cost of each MIX server is only O(N) while v = 0(t 2 ) [5]. 

2 Model of MIX Net 

2.1 Model and Definitions 

In the model of MIX nets, there exist three types of participants: users, a bulletin 
board, and the MIX servers. 

1. The users post encrypted messages (ci, • • • , cjv) to the bulletin board. 

2. After the bulletin board fills up, or after some other triggering event oc- 
curs, the mix servers compute a randomly permuted list of decryptions 
(mi, • • • , mjv) of all valid encryptions posted on the bulletin board. 

MIX nets must satisfy privacy, verifiability and robustness. Suppose that at 
most t among v MIX servers and at most N — 2 among N senders are malicious. 
Then we say that a MIX net satisfies : 
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— t-privacy if the relationship between (ci, • • • , cjv) and (mi, • • • , mjv) is kept 
secret. 

— t-verifiability if an incorrect output of the MIX net is detected with over- 
whelming probability. 

— t-robustness if it can output (mi , • • • , rri N ) correctly with overwhelming prob- 
ability. 

We say that a MIX net is t-resilient if it satisfies t-privacy, t-verifiability and 
t-robustness. 


2.2 ElGamal Based Encryption Scheme for Users 

Let p be a safe prime, i.e., p, q be primes such that p = 2q + 1, and g be a 
generator of G q . Let y = g x mod p, where a: is a secret key. The public key of 
ElGamal encryption scheme is ( P,q,g,y )• 

To encrypt a value m £ G q , a random number r £ u Z q is chosen and the 
ciphertext (a,b) = ( g r ,my r ) is calculated. For decryption, m = b/a x is calcu- 
lated. (To guarantee that m £ G q , we should let m = (M | p)M for an original 
message M £ [1 . . . (p — l)/2], where (M | p) is the Jacobi symbol of M.) 

The MIX servers share a secret key x using a (t+ 1, v) threshold scheme [16], 
where v denotes the number of MIX servers. 

3 Flash MIX 

Jakobsson proposed his second t-resilient MIX net, called flash MIX, at PODC’99 
[10]. (His first t-resilient MIX net [8] was broken [5].) This scheme is the most 
efficient robust MIX net known so far which satisfies v = 0(t). (The MIX net 
recently proposed by [5] requires v = 0(t 2 ).) In flash MIX, the computational 
cost of each MIX server is only 0(tN). 

For (a, b), let 

(c,d) = (ag 13 , by 13 ). 

We say that (c, d) is a re-encryption of (a, b) and j3 is the re-encryption exponent. 
For (ai,&i) and (02,62), we say that (0102,6162) is the product of (01,61) and 
(02,62). 


3.1 Functionality 

The input to flash MIX is a list of ciphertexts 

((01, 61), • • • , (ojv, 6jv)), 

where (aj,6j) is an ElGamal encryption of a message rn, with respect to the 
public key ( p,q,g,y ). The output is a random permutation of 

((o'i, 61), • • • , (o)v, 6jv)), 
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where 

{di,bi) = (a i g rt ,b i y ri ) 

is a random re-encryption of (a*, &,). (d t , bi) can later be decrypted by a (t+ 1, v)- 
threshold decryption scheme. 

Flash MIX starts with t + 1 MIX servers, say, MIX servers 1, • • • t + 1. If 
cheating is detected during any step of the protocol, then a cheater detection 
phase commences. In the cheater detection phase, a cheater is detected and 
replaced. Afterwards, the protocol is restarted. 

It consists of two subprotocols, the blinding protocol and the unblinding 
protocol. 


3.2 Blinding Protocol 

Flash MIX first executes the blinding protocol as follows. 


(1) Generation and insertion of dummies. 

Two dummies (ajv+i, 6jv+ l) and (cin+ 2 , 6jv+ 2) are constructed collectively by 
all MIX servers such that ajv+i, 6jv+i, ajv+2 and hjv+2 are random elements 
of G q . Let 

Lo = ((01, 61), • • • , (ajv+2, bN+ 2))- (1) 

(2) Duplication. 

r > 2 copies of Lq are created, where 


1 1( W 

21og 2 N 

for e which denotes the maximum failure probability. They 
Ti,o> -£*2,0) • • • i L t> o- 

(3) First re-encryption. 

For j = 1 , 2, • • • . £ 4- 1 , MIX server j takes as input the lists 


(2) 

denoted by 


He re-encrypts each element of each lists given to him, and forwards random 
permutations of the resulting lists to the next server. His output lists are 
denoted by 

L Uj . • • • . L tJ . 

The final result of this step is denoted by 

L 1,0 = L iy+1, • • • , T t , 0 = -L-r.t+l- 

Since at least one of the t + 1 MIX servers is assumed to be honest, they are 
randomly re-encrypted and permuted lists of Lo- 

(4) Second re-encryption. 

The t + 1 MIX servers execute similar re-encryption on input Li,o, • ■ ■ , T t ,o- 
The input lists of MIX server 1 are Li t0 , ■ ■ ■ , L t q and the output lists are 
denoted by Tip, • • • , L r l . The input lists of MIX server j > 2 are denoted 
by , • • • , and the output lists are denoted by L-i.j. ■ ■ ■ , L t j. 
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Fig. 2. Second re-encryption 


3.3 Unblinding Protocol 

After the blinding protocol, the unblinding protocol is executed in which each 
MIX server proves that he behaved honestly in the blinding protocol. 

(1) Verifying the first re-encryption. 

Each MIX server reveals the re-encryption exponents and the random per- 
mutation which he used in the first re-encryption. They are checked by the 
other MIX servers. 

(2) Aggregation. 

After the above step, everyone can compute the aggregate permutations 
III, ■ ■ ■ ,II T and the aggregate re-encryption exponents fl lt j of the first re- 
encryption such that 

L'i , o = n x - ■ ■ ,(a N+ 2 g 01 ’ N+2 ,b N+2 y /3l ’ N+2 )) , 

I (3) 

L'r , o = n T - ■ ■ ,(a N+ 2g 0T ’ N+2 ,b N+ 2y^’ N+2 )) 

(3) Verification of dummy values. 

In this phase, each MIX server proves that he behaved honestly about the 
two dummies in the second re-encryption. 

(3.1) MIX server 1 publishes how he permuted the two dummies in L Xt i, • • • , Z. r l . 
(Note that after the verifying the first re-encryption phase, he knows the 
positions of the two dummies in Tpo, ■ ■ ■ , L T ,o-) 
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Next, he reveals the re-encryption exponent he used for the second 
dummy. He also proves that he knows the re-encryption exponent he 
used for the first dummy in zero-knowledge. 

They are checked by the other MIX servers. 

(3.2) MIX server 2 behaves similarly to MIX server 1. (Note that from Step 
3.1, he knows the positions of the two dummies in Tip, • • • , T r p.) 

(3.3) MIX server 3. •••,/ — 1 behave similarly. 

(4) Verification of products. 

In this phase, each MIX server proves that he behaved honestly about the 
product of all elements except the second dummy of each list in the second 
re-encryption. 

(4.1) MIX server 1 behaves as follows. For i = 1, 2, • • • , r, let 

(A. t . Bi) = the product of all elements of T^o 
except the second dummy. 

( Ci,Di ) = the product of all elements of Tip 
except the second dummy. 

Then it holds that 

Ci = Aig /,< and Di = 7?jy Mi (4) 

for some fi t . MIX server 1 publishes such /i,, for 1 < i < r. The other 
MIX servers verify that eq.(4) holds for 1 < i < r. 

(4.2) MIX servers 2, 3, • • • , t + 1 behave similarly. 

(5) Verification of relative sorting. 

Each MIX server j proves that Tip is a permuted and re-encrypted version 
of Lij for 2 < i < t in the second re-encryption. 

Let / be a keyed function that can be modelled by a random oracle. For 
simplicity, we assume that the range and the domain of / are equal but for 
a negligible fraction of values. 

(5.1) MIX server 1 behaves as follows. Let 

Tip = ((a'i, 6 i), • • • , (ajv+2, &jv+ 2)), 

T,p = ((cl, di), • • • , (cjv+ 2, djv+2)), 

Then Tip is a permuted and re-encrypted version of Tjp for 2 < i < r. 
That is, 

Tip = ((ciflT’bdiy 7 *’ 1 ), • • • , (c JV '+ 2 fl 7i,iV+2 ,div+ 2 y 7 ’’ JV+2 )) (5) 

for some T, and { 7 ^}. Note that MIX server 1 can compute such T, 
and { 7 ip} from 77,, {fiij} of eq.(3) and the random numbers he used in 
the second re-encryption. 
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Now MIX server 1 proves that eq. (5) holds by revealing the so called tag 
lists Tqi, • • • , T tA and the so called offset lists £ 2 , 1 , • • • , E T> 1 such that 


7\,i = (-Ri, • • • , Rjv+ 2 ), 

T itl = <fy _1 (Ri, • • • , Rn+ 2 ) for 2 < i < t, 

£*,1 = ^“ 1 (7i,i, • • • ,7«,jv+ 2) for 2 <i <t, 

where i?i, • • • , Rjv +2 are unique elements in the domain of /. (Revealing 
the tag lists and the offset lists is almost equivalent to revealing <P t and 

Hj})- 

The other MIX servers verify that eq.(5) holds by using the above tag 
lists and offset lists. 

(5.2) Each MIX server i(> 2) applies the function /, keyed with a secret 
and random key, to all the elements of his input tag lists. His tag lists 
are obtained by applying the permutation he used in the second re- 
encryption to the above updated lists. He also generates his offset lists 
by using his input tag lists and input offset lists. He then reveals his tag 
lists and offset lists. The other MIX servers verify them. 

(6) Output of flash MIX. 

If no cheater was found, then dummies are removed from the re-encrypted 
and permuted first list copy, and the resulting list is output. 


3.4 Security 

The DK attack [5] for practical MIX [8] does not work for flash MIX directly 
because two dummy elements are inserted into the input list at the beginning of 
the protocol in flash MIX. Actually, Jakobsson argued the security of flash MIX 
as follows [10, Proof of Theorem 1], 

In order to successfully alter some elements in the final output, the adver- 
sary has to alter at least two elements of the re-encrypted and permuted first 
list copy, none of which are the second dummy. (See Step (4) and (6) of the 
previous subsection.) In order for this not to be noticed in the step where lists 
are relatively sorted and compared, the adversary has to select the same two 
elements from the remaining r — 1 list copies. 

He claimed that this probability was smaller than e. (See eq.(2) for e.) In the 
next section, however, we show that this claim is not true. 


4 Attack for Flash MIX 


In this section, we show that MIX server 1 can prevent computing the correct 
output. 
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4.1 Attack for the Blinding Protocol 

In the blinding protocol of flash MIX, our malicious MIX server 1 executes the 
first re-encryption honestly, but cheats in the second re-encryption. He computes 
his invalid output lists - ■ ■ ,L' t1 from not only his input lists L[ 0 , • • • , L' T 0 
of the second re-encryption phase but also the input to the flash MIX itself (Ho 
of eq.(l)). See Fig.3 and Fig.4. 

Now our malicious MIX server 1 executes the second re-encryption phase as 
follows. 

(1) MIX server 1 first chooses random numbers ai, • • • , ajv such that 

ol\-\ + ajv = lmod q. (6) 

(2) For 1 < i < t, L\ 0 is written as follows. 

Li,o = Ili ((a'^. • • • , N+2 , b' it N+ 2)) 

where I7j is the aggregate permutation, 

<fc = <*/*■* , b\, k tb k y^K (7) 

and pi t k is the aggregate re-encryption exponent. (See eq.(3).) 


L 0 





— * Li,t+i(= Hi,, 

1 


t + 1 



— 4. L T: 1 — > > 


— * L Tt t+ 1 («$;,, 


Fig. 3. First re-encryption of our attack 

MIX server 1 does not know I7j. However, note that he can compute the 
products a' i X ■ ■ • a' N+2 an d b' i X ■ ■ ■ 6' N+2 - Now MIX server 1 computes 

Ai = a' iA ■ ■ ■ a' itN+2 /a N+1 a N+2 and B t = X ■ ■ ■ b' itN+2 /b N+1 b N+2 , (8) 

where (ajv+i, &jv+i) and (ajv+2, &JV+2) are the two dummy elements which are 
inserted into the input list at the beginning of the protocol (see eq.(l)). 

(3) Next for i 1 , . . . , r, MIX server 1 publishes 

L'i,i=0i > (Z a ”g u - N ,BTy u ^)i 

(a N+1 g U ’ N+1 ,b N+1 y u - N+1 ), (a N+2 g ti - N+ ' 2 , b N+2 y ti ’ N+ ' 2 )) (9) 

where 9i and tt,i, ■ ■ ■ , t,: :J v +2 are randomly chosen by MIX sever 1. 
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Fig. 4. Second re-encryption of our attack 


Let 

A = a i • • • ajv, B = bi ■ ■ ■ b jy. (10) 

Then note that for i = 1, . . . , r, L it i is a randomly re-encrypted and permuted 
list of - ■ ■ ,(a N ,b N ),(a N+1 ,b N+1 ),(a N+ 2 ,b N+ 2 ), where 

(a 1 ,b 1 ) = (A a \B^) 


(a N ,b N ) = {A a ”,B a ”). 


4.2 Attack for the Unblinding Protocol 

We next show that MIX server 1 can behave properly in each phase of the 
unblinding protocol so that no cheating is detected. 

Theorem 1. MIX server 1 can behave properly so that the verifying the first 
re-encryption phase ends successfully. 

Proof. Our MIX server 1 executed the first re-encryption phase honestly. There- 
fore, he can execute the verifying the first re-encryption phase correctly. □ 

Theorem 2. MIX server 1 can behave properly so that the verification of dummy 
values phase ends successfully. 

Proof. Everyone knows I7 l of eq.(3). MIX server 1 knows 9 t of eq.(9). Therefore, 
MIX server 1 knows how the two dummies are permuted from Z., o to L hl . Hence, 
MIX server 1 can publish a description of how the two dummies are permuted 
from Li t o to £j,i for 1 < i < r. 

Next let 


Zi,N+l = ii,JV+l — Pi,N+l 
Zi,N+2 = U,n+ 2 ~ Pi,N+ 2 
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where H>j are defined in eq.(3) and Uj are defined in eq.(9). Then z-^m+i and 
Zi,N +2 are the re-encryption exponents of the two dummies from L, : o to L lA . 

MIX server 1 can compute z^n+x and -Zj,jv +2 because he know and 

{Pi,j}- Therefore, he can reveal Zi t N+ 2- He also proves that he knows Zj,]v+i in 
zero- knowledge. 

Then the verification of dummy values phase ends successfully. □ 


Theorem 3. MIX server 1 can behave properly so that the verification of prod- 
ucts phase ends successfully. 

Proof. From eq.(3), it holds that 

Ai = oi • • • ojv+i • 

Bi = bf ■ b N+ 1 • /m+-+/3^ +1 

On the other hand, from eq.(9), it holds that 

Ci = {Ai* 1 g* 1 ’ 1 ) ■ ■ ■ {A*" g U ’ N ) ■ (a N+1 g ti - N + 1 ) 

= Ai N ■ Ojv+1 • g t *0+-+U,N+i 

= Ai ■ ajv+i • Ki,Ar+1 

from eq.(6). Substitute eq.(7) into eq.(8). Then we have 


Ai = fflqi ’ ’ ’ a i,N+ 2/ a N+l a N+2 


= ax g ' ■ ■ ■ ajv+25 
= ai • • • a N ■ g 0i ’ 1+ " 


+/?«,/ 


h2 /diV+lOiV+2 


Further, substitute eq.(12) into eq.(ll). Then we have 

Ci = ax ■ ■ ■ ojv • . aN+1 . g u.i+ -+u 

= 01 • • • ajv+i • 5 (^+-+A,Ar+»)+(h,i+-+Mr.** 

Similarly, we have 

D i = b 1 - fejv+i • y(A.i+-+*.~+»)+(**. 


( 11 ) 


(12) 


Now let 

hi = U, 1 + • • • + tj, JV+l + Pi,N+2- (13) 

Then it is clear that eq.(4) is satisfied. 

MIX server 1 can compute the above p, because everyone knows 0 %,#+ 2 and 
{ti,j} is chosen by MIX server 1. Note that ff t N +2 is computable for everyone 
by aggregating the re-encryption exponents of the second dummy, which are 
published in the verification of dummy values. He reveals this /q. Then the 
verification of products phase ends successfully. □ 
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Theorem 4. MIX server 1 can behave properly so that the verification of rela- 
tive sorting phase ends successfully. 

Proof. Substitute eq.(12) into eq.(9). Then we have 

L -, i = Ot ((I«i^U+^d/3iU+---+/3 i ,iv +2 ) ) 5a ly t i , 1 +a 1 -(/3i,i+---+/3 1 ,w +2 ) )) 

(y4“ w g ti ’ 1+ajv '^ 1 ’ lH \-Pi,N+2) ^Ba N yti,i+a N -(Pi,i-\ b/3«,N+2)) ; 

(ajv+iy ’ ,JV+1 , 6jv+iy’ ,JV+1 ), 

(aN+2g ti ’ N+2 , 6iY+2y t,,JV+2 ) ) 


where A and B is defined in eq.(10). Let 

7t,i = *i,i - U , l + ai ■ {0i,i H h 0i,n+2) ~ oli • (/%| H h 0i,N+ 2 ), 


7i,iV = tl.JV — tj,JV + ajv • ( 01,1 H + 01,N+2) — OlN • {0i,l + 1- 0i,N+2), 

where Uj is defined in eq.(9). Note that MIX server 1 can compute 7,4, • • • , 74^ 
for 2 < i < t. 

Now MIX server 1 reveals the tag lists Tqi, • • • ,T Ti i and the offset lists 
E 2 ,i, • • • , E t> 1 such that 

Ti,i = e^Ri, • • • , R n+ 2 ) for 1 < i < t, 

E it 1 = 0,(%i, ■ ■ ■ , 7i,iv+2) for 2 <i<r, 

where 0* is defined in eq.(9) and /?,],■■■ , -Rjv +2 are unique elements in the domain 
of /. It is easy to see that eq.(5) is satisfied with <!>., = 6\ Of 1 . 

Therefore, the verification of relative sorting phase ends successfully. □ 

Theorem 1 ~ 4 show that each phase of the unblinding protocol ends suc- 
cessfully and no cheating is detected. 

4.3 Output of Flash MIX 

Let the input to flash MIX be a list of ciphertexts 
((ai,6i),---,(a]v,6jv)), 

where {ai,bf) is an ElGamal encryption of a message m, with respect to the 
public key ( p , q, g, y). 

Then after threshold decryption, flash MIX must output a random permu- 
tation of 

(mi, • • • ,rnjv). 
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However, in our attack, flash MIX outputs 

((mi • • -rnjv) 01 , ■■■, (mi • • • m N ) aN ) 

which is clearly different from (mi, • • • , mjv). Therefore, flash MIX does not 
compute the correct output without being detected. 

5 Countermeasure 

In this section, we show a countermeasure for our attack. The blinding protocol 
is unchanged. The new unblinding protocol is as follows. 

(1) Open dummies of the first re-encryption. 

Each MIX server publishes how he permuted the two dummies in the first 
re-encryption. He next proves that he knows the re-encryption exponents of 
the two dummies in zero-knowledge. 

(2) Verification of dummy values in the second re-encryption. 

Unchanged. 

(3) Verification of products in the second re-encryption. 

Unchanged. 

(4) Verifying the first re-encryption. 

Unchanged. 

(5) Aggregation. 

(6) Verification of relative sorting in the second re-encryption. 

Unchanged. 

Note that 

1. (1) is newly introduced. In (1), the re-encryption exponent of the second 
dummy is not revealed. 

2. (4) was put at the beginning of the unblinding protocol in the original 
scheme. 

Then our attack does not work. Theorem 1, 2 and 4 hold. However, Theorem 
3 does not hold. 

It will be a further work to study about the security of our countermeasure. 
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Abstract. This work describes distributed protocols for oblivious trans- 
fer, in which the role of the sender is divided between several servers, and 
a chooser (receiver) must contact a threshold of these servers in order to 
run the oblivious transfer protocol. These distributed oblivious transfer 
protocols provide information theoretic security, and do not require the 
parties to compute exponentiations or any other kind of public key op- 
erations. Consequently, the protocols are very efficient computationally. 


1 Introduction 

Oblivious Transfer (abbrev. OT) refers to several types of two-party protocols 
where at the beginning of the protocol one party, the sender, has an input, and 
at the end of the protocol the other party, the chooser (sometimes called the 
receiver), learns some information about this input in a way that does not allow 
the sender to figure out what the chooser has learned. In this paper we are 
concerned with l-out-of-2 OT protocols where the sender’s input consists of two 
strings (mo, mi) and the chooser can choose to get either one of these inputs 
and learn nothing about the other string. 

Distributed oblivious transfer protocols distribute the task of the sender be- 
tween several servers. Security is ensured as long as a limited number of these 
servers collude. The constructions we describe have three major advantages com- 
pared to single server based oblivious transfer: (1) They are more efficient since 
they only involve the evaluation of polynomials over relatively small fields (and 
no exponentiations) . (2) They provide information theoretic security, thus mak- 
ing the task of composing such a protocol with other protocols easier. (3) They 
also provide better security guarantee when applied to the multi party protocols 
based on the auction architecture of of [21] (see below). 
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DARPA contract F30602-99- 1-0530. 

** Most of this work was done while the author was at the Weizmann Institute of 
Science and the Hebrew University of Jerusalem, and was supported by an Eshkol 
grant of the Israeli Ministry of Science. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 205-219, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 



206 Moni Naor and Benny Pinkas 


The setting of distributed oblivious transfer involves, as in the basic 1-out- 
of-2 protocol, a sender with two inputs mo, mi, and a chooser with an input 
a e {0, 1}. There are also n servers Si, ... , S n . The sender generates for every 
server S* a transfer function F. t , which is sent to the server. Apart from this 
message there is no interaction between the servers and the sender, or between 
the servers themselves. Server Si then uses the function F t to answer a query 
of the chooser. The sender never interacts with the chooser and can be offline 
when the chooser sends his queries. 


Related Work. The notion of l-out-2 oblivious transfer was suggested by 
Even, Goldreich and Lempel [13] , as a generalization of Rabin’s “oblivious trans- 
fer” [23]. Further generalization to 1-out-of-A' oblivious transfer was introduced 
by Brassard, Crepeau and Robert [7] under the name ANDOS (all or nothing 
disclosure of secrets). For an up-to-date definition of OT and oblivious function 
evaluation see Goldreich [16] . 

Reductions between various types of oblivious transfer protocols have been 
investigated extensively and they all turn out to be information theoretically 
equivalent (See [6,8,12,11,9]). These reductions emphasize the importance of 
distributed oblivious transfer, since they enable other types of OT protocols 
to be based on the efficient constructions of distributed OT presented in this 
paper. In particular, a protocol for distributed l-out-of-TV OT can be constructed 
using the (non-information theoretic) reduction of Naor and Pinkas [20] to OT 2 . 
The protocol uses log N invocations of distributed OT) 2 , and N invocations of a 
pseudo-random function. The resulting OT f protocol is very efficient and does 
not require any public key operations. 

Oblivious transfer protocols are the foundation of secure distributed compu- 
tation. Since its proposal by Rabin [23] OT has enjoyed a large number of appli- 
cations and in particular Kilian [19] and Goldreich and Vainish [17] have shown 
how to use OT in order to implement general oblivious function evaluation, i.e., 
to enable parties to evaluate any function of their inputs without revealing more 
information than necessary. Oblivious transfer can be implemented under a va- 
riety of assumptions (see e.g. [6,13,5]). Essentially every known suggestion of 
public-key cryptography allows also to implement OT (although there is no gen- 
eral theorem that implies this state of affairs), and the complexity of l-out-of-2 
OT is typical of public-key operations [6,5]. OT can be based on the existence of 
trapdoor permutations, factoring, the Difhe-Hellman assumption and the hard- 
ness of finding short vectors in a lattice (the Ajtai-Dwork cryptosystem). On 
the other hand, given an OT protocol it is a simple matter to implement secret- 
key exchange using it. Therefore from the work of Impagliazzo and Rudich [18] 
it follows that there is no black-box reduction of OT from one-way functions. 
This result is quite discouraging if one attempts to improve the efficiency of OT 
protocols, since one-way functions are typically more efficient than public key 
operations by a few orders of magnitude. 

There are many works which solve problems which are related (at least syn- 
tactically) to ours. The work of Beaver et. al. [4] on locally random reductions 
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enables to distribute a function between many servers, such that a user can com- 
pute the function by contacting these servers. The construction guarantees that 
the servers cannot learn which values the users compute, but on the other hand 
it does not provide security against a user who attempts to compute the function 
in many locations. This is also the case with PIR (private information retrieval) 
protocols [10]. SPIR protocols [15] address the security of the sender as well, but 
the emphasis of both these types of protocols is different than ours: they consider 
communication overhead as the major resource that must be minimized (at the 
cost of increasing the computation overhead). In the PIR context Gertner et. 
al. [14] proposed a system where the database owner solicits the help of several 
servers which are not fully trusted. A related line of work is that of “commodity 
based cryptography” [3], where OT is treated as a resource, but our work puts 
a much more stronger emphasis on simplicity and efficiency. 

Very recently Rivest has considered a model with a “trusted initializers” who 
(similarly to the sender in our scenario) participates only in and initial setup [24]. 
The difference with our setting (i) The trusted party should provide secret infor- 
mation to the receiver/chooser as well; this is unacceptable in application such 
as the privacy preserving architecture discussed below, (ii) the online sender 
knows the the values mo and mi, whereas the servers in our scenario do not 
gain information about them. 


Application to the Privacy Preserving Architecture An architecture for 
executing auctions, economic mechanism design and negotiations was proposed 
in [21]. The goal is to preserve the privacy of the inputs of the participants (so 
that no nonessential information about them is divulged, even a posteriori) while 
maintaining communication and computational efficiency. This goal is achieved 
by adding another party, the auction issuer , in addition to the bidders and the 
auctioneer. This party’s role is to generate the programs ( “garbled circuits” ) for 
computing the auctions prior to the auction and to run a variant of OT called 
proxy OT after the the bids have been submitted. Other than that it does not 
take an active part in the protocol. The auction issuer is not a trusted party, but 
is assumed not to collude with the auctioneer. In the original protocol of [21] the 
privacy of bidders is preserved as long as the auction issuer and the auctioneer 
do not collude. 

Employing the distributed oblivious transfer protocols proposed in this paper 
allows splitting the role of the auction issuer into two parts (this was the moti- 
vation for our work). One of them needs a central server that acts only offline. 
It prepares the garbled circuits and acts as the sender preparing the inputs for 
the n servers in the distributed OT protocol. During the execution of the auc- 
tion these n servers, called the online auction servers, operate after the bids are 
submitted. The central auction issuer can be better safeguarded than the online 
servers, since it operates offline. Privacy is guaranteed as long as the auctioneer 
does not collude with a coalition of several (more than the given threshold) of 
the online auction servers. 
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2 Definitions 

A distributed fc-out-of-n OTf protocol involves three types of parties: 

— A sender which has two inputs Too, m\. It is convenient to assume that both 
these inputs are elements in a field T . 

— A chooser that has an input bit a € {0, 1}. 

— Additional n servers, Si, .... S n . 

The protocol is composed of the following functional steps: 

— The sender generates for each server 5, a function F. t , which depends on 
(mo, mi) and on random coin tosses of the sender. 

— The chooser contacts k different servers. She sends to server Si a query q t 
which is a function of a and of i, and of private random coin tosses. The 
server answers the query with F) (<?*). 

A distributed fc-out-of-n OT f protocol must guarantee the following properties: 

— Reconstruction: If the chooser receives information from k servers she can 
compute m a . That is, there is an efficient algorithm for computing rn a from 
any set 

— Sender’s privacy: Given any k values {ij, F. tj (< 7 q ))y_i the chooser must 
gain information about a single input m a , and no information about the 
other input of the sender. (A weaker requirement is that she can compute 
at most a single linear combination of mo and mi.) 

— Chooser’s privacy: No coalition of less than t servers gains any information 
about cr, where t is a parameter in the range 1 < t < k. The parameter t 
should ideally be as close as possible to k. 

— Chooser-servers collusion: A coalition of the chooser with £ corrupt 
servers cannot learn about mo, mi more than be learned by the chooser 
herself (where £ is a parameter). 

An additional requirement is that if the chooser receives information from less 
than k servers she gains no information about mo or mi. There might be ap- 
plications in which this requirement is not important, since the emphasis might 
be on the chooser having to contact at most k servers. This requirement is not 
supported in all of the protocols that we present. Namely, in the protocol of Sec- 
tion 3.2 the receiver can obtain information about a single input after receiving 
information from less than k servers. However, in this case she compromises her 
own privacy and risks that a coalition of fewer than k servers can learn cr. 

Note that the privacy of both the sender and the receiver is based on infor- 
mation theory and does not depend on any computational assumption. Further- 
more, the protocol is very simple, the chooser simply asks server S» for a value 
of Fi(-) and receives an answer, and this process is considerably more efficient 
than a OT f protocol (since in all protocols F t is simply a polynomial). 

The privacy of the sender depends on the chooser getting shares from at most 
k servers. We discuss in Section 5 how to ensure that this is indeed the case. 
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The protocols use bivariate polynomials in a way which is similar to that 
used by the oblivious polynomial evaluation protocols of [20]: The sender defines 
a bivariate polynomial Q(x,y) which hides his input, and the chooser defines 
a secret univariate polynomial S(x) and interpolates Q(x,S(x)) which reveals 
to her one value of the sender’s input. However, in [20] a single sender knows 
the polynomial Q and the chooser uses OT™ in order to learn the values of this 
polynomial at different locations, without revealing them to the sender. In the 
current work each server knows part of the polynomial, and the chooser simply 
asks servers to reveal to her values of the polynomial at different points. The 
chooser does not have to use OT in order to hide these points from the servers, 
since as long as not too many of them collude they cannot learn her input. 


Why Secret Sharing Isn’t Enough: The first naive approach for designing 
a distributed OT% scheme is probably to suggest using simple fc-out-of-n secret 
sharing for sharing mo and mi between the servers. Namely, each input should 
be divided into n shares, and each of the n servers is given a share. The chooser 
should obtain k shares of one of the schemes to reconstruct one of the inputs. 
The problem with this method is, of course, that the chooser must hide from 
the servers the identity of the input whose shares it requires. This essentially 
requires the chooser to run a OT? protocol with each of the servers. 

3 Protocols for Distributed Oblivious Transfer 

This section describes several protocols for distributed OT] 2 . The protocols follow 
the generic structure described in Table 1. 


1. Input: The sender’s input is a pair mo, mi £ T . The chooser’s input is 
a e ( 0 , 1 }. 

2. The sender generates a bivariate polynomial Q(x,y), s.t. Q(0, 0) $% 
mo, Q(0, 1) = mi. 

3. The sender sends the univariate polynomial Q(i, •) to server Si. 

4. The chooser chooses a random polynomial S s.t. 5(0) = <r, and defines a 
univariate polynomial R to be R(x) = Q(x, S(x)). The degree of R is k — 1. 

5. The chooser asks server Si for the value R(i) = Q{i, S(i)). 

6. After receiving k values of R the chooser interpolates R and computes R(0). 


Fig. 1 . The basic steps of the distributed OT ? protocol. 


The main difference between the different protocols is the type of the poly- 
nomial Q(x,y) that is generated by the sender. This choice affects all other 
parameters of the protocol. In particular, the first type of protocols uses a poly- 
nomial Q(x,y) which is defined as the sum of a polynomial in x and a linear 
polynomial in y, and has no monomials which include both x and y. We denote 
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such polynomials as sparse. Since the sender is only required to compute sparse 
polynomials, his task is greatly reduced (compared to the computation of full 
polynomials). This type of protocols is secure as long as there is no collaboration 
between the chooser and a corrupt server. It is also possible to make it immune 
against a collusion between the chooser and a single (or a few) servers. 

We describe a different type of protocols which can protect the sender’s 
privacy against a collusion between the chooser and a large set of servers. This 
type of protocols uses full bivariate polynomials in which the coefficients of all 
the monomials are non-zero (with high probability). 

3.1 Using a Sparse Polynomial 

The most basic and straightforward protocol employs a bivariate polynomial, 
where the degree of y is 1 and there are no monomials which contain both x and 
y. The protocol is described in Figure 2. It has the following properties. 

— Reconstruction: After receiving information from k servers, the chooser 
can learn m CT , by interpolating the polynomial R. 

— Sender’s privacy: After receiving information from k servers, the chooser 
cannot learn more than a single linear equation of mo and mi (this is proved 
in theorem 1). We later show in Section 4 how to ensure that the chooser 
learns exactly mo or mi and not any other combination of these values. 

— Information from less than k servers does not reveal to the chooser any 
information about mo and mi (since the degree of x in Q is k — 1). 

— Chooser’s privacy: No coalition of at most t = k — 1 servers can learn any 
information about a (this is proved in Theorem 2 and is based on the degree 
of S being k — 1). 

— No security against chooser-server collusion: A coalition of the chooser 
with one corrupt server reveals to the chooser both mo and mi (after running 
the protocol). At the end of this Section we describe a method to address 
this problem if the chooser colludes with a single corrupt server (or a small 
number of corrupt servers). Section 3.2 describes a scheme which is secure 
against a collusion between the receiver and a large number of servers. 

— Overhead: The sender has to choose 0(K) elements and has to send to each 
server 0(1) elements. Each server has to compute a linear polynomial a single 
time. The chooser should contact k servers, and her total communication 
overhead is 0(k). The computation of rn„ involves interpolation of a k — 1 
degree polynomial in order to find its free coefficient. This can be done in 
0(k 2 ) multiplications using Lagrange’s interpolation formula, or 0(k log 2 k) 
multiplications using FFT (see e.g. [1] p. 299). The operations are done 
over the field T which can be rather small 1 and are therefore efficient by 
a few orders of magnitude compared to the public key operations required 
(following [18]) for non-distributed oblivious transfer. 

1 Typically the field should contain mo, mi. However, if these elements are large the 
sender can choose two random keys fco,fci (say, 128 bits long) and use them to 
encrypt mo, mi, respectively. The OT protocol should be run for the inputs ho, fci , 
and therefore the field T should only be large enough to contain them. 
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Initialization: The sender generates a linear polynomial P y (y) = bi ■ y + bo, s.t. 
P y (0)=m 0 ,Py(l) = m 1 . (I.e.,mo = bo, m 1 = b 1 +b 0 .) 

The sender generates a random masking polynomial P x (x) of degree k — 1, s.t. 
P x (0) = 0. Namely, P x (x) = X^=i a i x ^ ■ K also defines a bivariate polynomial 

Q{x,y) = P x (x) + P y {y) = Y, a i x3 + biy + b 0 

The sender provides server 5j with the function Fi(y) which is the result of 
substituting x — i in the polynomial Q. Namely, 

Fi(y) = Q(i,y) = Y, 0 ^ + b iV + bo = biy+ a ji j +6 0 ) 

Transfer: The chooser generates a random polynomial S(x) of degree k — 1, 
subject to the constraint 5(0) = a. I.e, S(x) = JZ'jZo s i xj where s o = a. 
Consider the polynomial R(x) which is generated by substituting S(x) instead 
of y in Q, 

R{x) = Q(x, S{x)) = Y + 6i Y ":> xl +bo = + blS ^ xj + 6lSo + bo 

The chooser’s goal is to interpolate R and compute R(0) = Q(0, 5(0)) = 
Q(0, a) = m a . The degree of R is k — 1 , and therefore the chooser should obtain k 
values of R in order to interpolate it. She approaches k different servers and asks 
server 5, for the value Fj(5(i)) = Q(i,S(i)) = R(i). After receiving k answers 
she can interpolate R and compute R( 0) = m a . 


Fig. 2. A distributed OTf protocol using a sparse linear polynomial. 


Proofs of Privacy 

Theorem 1 (Sender’s privacy). After receiving information from k servers, 
the chooser cannot learn more than a single linear combination of mo and mi . 

Proof: When the chooser sends to server i the query y t , she receives the answer 
Fi{Vi) = Q{iiDi) = Xq=i a jF + b iVi + b o- The receiver therefore obtains the 
following set of k equations: 
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It should be shown that no matter what values the chooser assigns to the yf s, 
she does not learn more than a single linear combination of bo,bi. In other words, 
that the rows of the matrix A do not span both the vector e*, = (0, ... ,0, 1,0) 
and the vector ek+i = (0, ... ,0,0, 1). The matrix A has k + 1 columns and k 
rows. Consider the matrix A! with k + 1 rows which is formed by taking the first 
k — 1 rows of A and appending to them the vectors e*,, e^+i ■ The determinant 
of A' is different than 0 (since the sub-matrix of size (k — 1) x (k — 1) in the 
upper-left corner is Van Der Monde). Therefore, the first k — 1 rows of A do not 
span any of e& 3 efc+i, and the matrix A which has just a single additional row 
cannot span both vectors. □ 

Theorem 2 (Chooser’s privacy). A coalition of k— 1 servers does not learn 
any information about a. 

Proof: The coalition receives k — 1 values of S(i) for i 0. The polynomial 
5 is of degree k and is random except for 5(0) = cr. The information that the 
coalition learns could have been equally likely derived from a polynomial 5 with 
5(0) = 0 as from a polynomial with 5(0) = 1. □ 

How to Protect against a Collusion between the Chooser and a Single 
Server: The main drawback of the protocol is that a collusion between the 
chooser and one of the servers reveals both mo and mi. This happens since each 
server S t knows a polynomial Ffy) which reveals b\ = mi — mo- We describe 
below a simple solution against a collusion between a chooser and a single server. 
This solution is general and is good for any distributed OT scheme. The aim of 
the rest of the paper is to deal with larger collusions. 

In order to protect against a coalition of the chooser with a single server, 
the sender divides the n servers into all possible n subsets of n — 1 servers. It 
defines n random shares {mo j7 ;}" =1 that satisfy mo = ®" =1 mo,j, and similarly 
shares {mi^}”^ that satisfy mi = ®" =1 mi ) j. Next, it defines n schemes for 
(k— l)-out-of-(n— 1) distributed OT'f . The ith scheme enables to transfer either 
one of and is assigned to the members of the ith subset of servers. 

The chooser should contact k servers, and run the n distributed OTf proto- 
cols, learning {m CT) j}" =1 . She should then combine the results to compute rn a . 

This protocol ensures that a coalition of t = k — 2 servers cannot learn 
which element the receiver learned, and that any k servers enable the receiver to 
learn only a single share. A coalition of the chooser with a single server cannot 
learn any additional information, since this server has no information about one 
of the OTf schemes. This method can be generalized to handle a collusion of 
the chooser with t servers, but this would require running (”) distributed OT'f 
protocols. 


3.2 Using a Full Polynomial 

In order to protect against large chooser-servers collusions, the sender should use 
a bivariate polynomial which includes all possible monomials, and in which the 
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degree of y is high. This approach yields a tradeoff between the number of servers 
that can compromise the chooser’s privacy, and the size of a chooser-servers 
collusion that can compromise the sender’s privacy. The protocol is described in 
Figure 3. 


Initialization: The sender generates a random bivariate polynomial Q(x,y) of 
degree d x in x and degree d y in y, subject to the constraints 

Q(0, 0) = m 0 , Q(0, 1) = mi. 

Namely, Q(x,y) = YljZo o a i l x} V l > where oo.o = mo and Xu=o a °< 1 = 1711 ■ ^ 
should also hold that d x = (k — l)/2 (the parameter k must be even). 

The sender sends to server Si the function F, (y) which is the result of substituting 
x = i in the polynomial Q. Namely, 

My) = -i 3 ) -v- 

Transfer: The chooser generates a random polynomial S(x) of degree d s , where 
the degree satisfies" d y d s = d x = (k— l)/2. The polynomial S is random subject 
to the constraint 5(0) = a. 

Consider the polynomial R(x) which is generated by substituting S(x) instead 
of y in Q, 

R(x) = Q(x, S(x)) 

The chooser should interpolate R and compute 5(0) = Q(0, 5(0)) = Q(0,cr) = 
m CT . The degree of 5 is k — 1 = d x + d y d s , and therefore the chooser should 
obtain k values of R in order to interpolate it. She approaches k different servers 
and asks server Si for the value Fi(S(i)) = Q(i, R(i). After receiving k 

answers she can interpolate R and compute 5(0) = m CT . 

“ We assume that the degrees are chosen such that this equality holds. Otherwise 
it must hold that d y d s < d x . 


Fig. 3. A distributed OTf protocol using a full polynomial. 


The protocol has the following properties: 

— Reconstruction: As in the previous protocol, after receiving information 
from k servers the chooser can learn m CT , since the degree of R is k. 

— Sender’s privacy: After receiving information from k servers, the chooser 
cannot learn more than a single linear equation of mo and mi. This is proved 
in Theorem 3 in the Appendix. We show in Section 4 how to ensure that she 
learns exactly mo or mi. 

— Chooser’s privacy: No coalition of at most t = d s = (k — 1 )/(2d y ) servers 
can learn any information about a (if the chooser acts according to the 
protocol). This follows from the degree of S. 
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— Information from less than k servers might reveal to the chooser information 
about mo or mi (e.g., if she sets S(x) to be of degree smaller than d x , the 
degree of R = Q(x, S(x)) would be smaller than k). However, this affects the 
chooser’s privacy, namely reveals it to a coalition of less than (k — 1 )/{2d y ) 
servers. If the chooser receives information from less than d x servers she 
learns no information about either mo or mi . 

— Security against chooser-servers collusion: A coalition of the chooser 
with d x — corrupt servers, does not reveal to the chooser more than 
a single linear equation of mo and m\. This is proved in Theorem 4 in the 
Appendix. 

— Overhead: The sender in preparing the polynomial has to choose 0(kd y ) 
elements and send d y elements per server. Each server has to compute a 
polynomial of degree d y a single time. The overhead of the chooser is as in 
the sparse polynomial scheme. 

This construction, therefore, gives a tradeoff between chooser privacy against a 
coalition of corrupt servers, and sender’s privacy against a coalition between the 
chooser and corrupt servers. Once n and k are fixed, The tradeoff depends on a 
parameter d y . The size of a coalition of corrupt servers against which the chooser 
is secure is (k—l)/(2d y ) = d x /d y , whereas the size of a coalition of corrupt servers 
that can help the chooser learn more than a single input is d x — . 

4 Preventing the Chooser from Learning Linear 
Combinations 

Suppose that the chooser must be forced to learn either mo or mi, and it is 
required to prevent her from learning linear combinations of the two inputs 2 . 

The following method can be used to ensure that the chooser learns either 
mo or mi, but not any other linear combination of the two inputs. We describe 
it for the protocol of Section 3.1 which uses a sparse bivariate polynomial. 

The protocol is run simultaneously with two polynomials P y = (a ■ m\ — b ■ 
mo)y + mo • b, and P 2 = (o — b)y + b, and corresponding polynomials Q 1 and Q 2 . 
(The first polynomial hides mi multiplied by a, and mo multiplied by b, whereas 
the second polynomial hides a and b). The chooser sends a single value S(i) to 
server i and receives the values <5 1 (*,S'(f)) and Q 2 (i,S(i)). 

If the chooser operates according to the protocol, she learns the values mo • b 
and b if 5(0) = 0, and can then compute mo- Similarly, she can compute mi if 
she sets 5(0) = 1. 

2 A heuristic approach for achieving this property might encrypt the inputs mo and 
mi using two random keys ko and hi, respectively, and run the distributed OT 
protocol to let the chooser learn either ko or ki. If the chooser chooses to learn a 
linear combination of both keys then presumably she would not be able to decrypt 
any of the encryptions. This approach can be proved to be secure in the random 
oracle world, i.e. if a function H which is modeled as a random oracle is used to 
encrypt each m, using ki. 
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The chooser cannot learn any other linear combination of m o and m i. The 
important property of the protocol is that the chooser learns the same linear 
combination of the coefficients of both P* and Py. Suppose that in this combi- 
nation the coefficient of y is multiplied by a and the free coefficient is multiplied 
by (3. The chooser therefore learns the following equations: 

/ mia m 0 (/3 - a) \ / a\ 

V a /J-a ) \b) 

If this matrix is non singular then any value of Too, mi corresponds to a different 
pair a, b, and no information is divulged about mo or mi. The matrix is singular 
only if mo = mi (but we can ensure that this does not happen if we append a 
different prefix to each input), or if a = 0 or a = (3. These last two cases reveal 
to the chooser the value of mo or mi, respectively, and are therefore legitimate. 

5 Ensuring that a Chooser Does Not Obtain More than 
k Shares 

Distributed oblivious transfer prevents the chooser from learning more than 
a single input as long as she does not obtain information from more than k 
servers. This property raises the following question: how should we ensure that 
the chooser receives information from at most k servers? (note that this problem 
does not exist if the system implements an n-out-of-n access structure). This 
issue might be regarded as orthogonal to the schemes themselves. Alternatively, 
there might be some centralized mechanism for limiting the number of servers 
that send information to the chooser. However, it might be difficult to operate 
such a mechanism in a distributed setting. 

We now describe two solutions that are applicable for the case k > n/ 2 (or 
any other quorum system). The solutions can be combined with any protocol for 
distributed OT. Therefore there is no need to postulate any external mechanism 
enforcing the limit on the number of servers accessed in this case. 

A solution for k > n/2 (or any other quorum system): The servers share a key 
K for a pseudo-random function F (pseudo-random functions are commonly 
modeled by block ciphers). The key K is known to each of the servers. Denote 
the subset of k servers that the user approaches as S, |<S| = k. The user sends 
the names of all servers in S to each of the servers she contacts. 

Each such server, Sj, operates as follows: 

- It verifies that S contains the names of k servers including S t , and that it 
did not previously send an answer to the chooser for a different set S' which 
contains Si (for the same OT). 

- It computes as = Si), where F K is a pseudo-random function 

F keyed by K. 

- It sends to the chooser its answer, as defined in the distributed OT protocol, 
encrypted by as- In addition it sends her F K {S,Si). 
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After receiving answers from all servers in S the chooser can compute as 
and decrypt the answers. Since k > n/2, every two different subsets of k servers, 
S and S', intersect, and therefore the chooser cannot compute both as and as> ■ 

The above solution can be generalized to any access structure which is based 
on a quorum system 3 . Assume, for simplicity, that each quorum contains the 
same number of servers, k. The system should use a /c-out-of-n threshold access 
structure. In addition each server Si should verify that S is a legitimate quorum 
which contains Si, and encrypt its answer with as as described above. Since 
each two quorums intersect, the chooser can only decrypt k answers of a single 
quorum. 

A solution for k > n/2 (and any other quorum system) secure against chooser- 
servers coalition: The drawback of the previous solution is that even a single 
server cooperating with the chooser can reveal K and enable the chooser to 
decrypt messages from more than k servers. The following solution solves the 
problem chooser-server coalition, provided the size of the coalition is less than 
2k - n. 

The sender defines in advance n(n — 1) strings {®i,j}i<i,j<n,i^j for every 
ordered pair of servers, and gives server S% the 2(n — 1) strings ajs \ i ^ )}. 
The chooser sends to server Si the set S of k servers which she is querying. 
The server first verifies that S, £ S and that it was not asked to answer the 
chooser using a different set S' of servers. It then sends its answer encrypted by 
®Sjes, jjti&ij- It also sends to the chooser the values {a^ | Sj e S, j ^ *}. The 
chooser must receive answers from all the servers in S before she can decrypt 
them. This method can be applied to any access structure which is based on a 
quorum system, provided a coalition does not cover any intersection of quorums. 
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A Privacy for the Protocol Which Uses Full Polynomials 

A.l Sender’s Privacy 

We first prove that if d y = 1 then the chooser can learn only a single linear 
equation of mo and m i, and then prove this for any degree d y . 

Lemma 1. Let Q(x,y ) be a bivariate polynomial in which x is of degree d x and 
y is linear. Denote by P(y) = ay + b= Q(0,y) the polynomial which is equal to 
Q constrained to the line x = 0 (i.e. to the y axis). Any 2 d x + 1 values Q(xi,yi) 
where all the Xi-s are distinct and different from 0 do not yield more than a 
single linear equation on the coefficients a and b. 
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Proof: Denote the polynomial as Q(x, y) = J2i = o Xq=o a i,jX 1 y : ' (i-e. a = a o,i 
and b = ao,o)- The 2 d x + 1 values of Q(x, y) define 2 d x + 1 linear relations for the 
2 d x + 2 coefiicients a h3 . Assume wlog that these equations are linearly indepen- 
dent (otherwise Alice has made redundant queries). Note that this implies that 
not all yi values are the same (if all y t were the same then for all 1 < i < d x + 1 
columns i and d x + l+ i would have been linearly dependent). 

The equations can be represented by a matrix A with 2 d x + 1 rows and 
2 d x + 2 columns, 



We will prove that it cannot be the case that both eo,o and eo,i are defined 
by these equations. In other words, let dj be the 2 d x + 2 entry vector in which 
all entries are 0 except for the (i + 1 + j ■ (d x + l))’th entry which is 1 (i.e. only 
the coefficient of a/j is 1). We will prove that the rows of the matrix A cannot 
span both eo,o and eo,i- 

The vector space is of dimension 2 d x + 2, the vectors eo,o and eo,i are or- 
thogonal and the rank of A is 2 d x + 1 (all its rows are linearly independent). 
Therefore A spans a vector in the linear subspace generated by eo,o and eo,i- 
Assume wlog that this vector is of the form v = (a, 0, . . . , 0, 1, 0, . . . , 0), i.e. that 
its first entry equals a and its ( d x + 2)’th entry equals 1. The vector v can be 
represented as a linear combination of the rows of A, and we can therefore re- 
place one of the rows of A (say the last row) with v. Wlog we prove that this 
revised matrix (and therefore also A) cannot span eo,o in addition to v. Consider 
the matrix B' which is constructed by adding to the revised matrix the row eo,o- 
It has 2 d x + 2 rows and 2 d x + 2 columns. 


/I 0 •••0 0 0 
I a 0 ••• 0 1 0 




B' = 1 *i 


■■■ xf x y-i j/isi 


• • • yixi x 


V 1 X 2d x 


yid x y2d x x2d x ■ ■ ■ y2d x x id x / 


The lemma is proven by the following claim, which shows that all the rows of 
B' are linearly independent. The proof appears in the full version of the paper. 

Claim: The determinant of a matrix B' in which all the x,-s are distinct and 
different from 0 and not all y 3 values are equal, cannot be 0. 

Following is a privacy theorem for polynomials in which the degree of y is 
greater than linear. The proof is similar to that of Lemma 1. 


Theorem 3. Let Q(x, y) be a bivariate polynomial in which x is of degree d x and 
y of degree d y . Denote by P(y) = Xq=o a o JV’’ = -P(0, y) the polynomial which is 
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equal to Q constrained to the line x = 0 (i.e. to the y axis). Denote the coefficients 
of the elements free of x, i.e. ao,o, ao,i> • • • , ao ,d y , as the y coefficients. Then given 
any 2 d x + 1 values Q(xi,yi) where all the Xi-s are distinct and different from 0, 
at most a single linear relation is defined between the y coefficients. 

A. 2 Chooser-Servers Collusion 

The following theorem demonstrates that a collusion between the chooser and 
d x ~ servers (in addition to the k servers that were contacted by the 
chooser), cannot learn about mo, mi more than can be learned by the chooser 
herself. The proof appears in the full version of the paper. 

Theorem 4. Let Q(x, y) be a bivariate polynomial in which x is of degree d x and 
y of degree d y . Denote by P(y) = Y^j=o a o,jV : ’ = P(0, y) the polynomial which is 
equal to Q constrained to the line x = 0 (i.e. to the y axis). Denote the coefficients 
of the elements free ofx, i.e. ao,o, ao,i) • • • , ao,d„ , as the y coefficients. Then given 
any 2 d x + 1 values Q(xi,yi) where all the x^-s are distinct and different from 0, 
and given the restrictions ofQ(x , y) to i different x values, where t < d x — f^+i, 
at most a single linear relation is defined between the y coefficients. 
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Abstract. This paper describes improved methods for XTR key rep- 
resentation and parameter generation (cf. [4]). If the field characteristic 
is properly chosen, the size of the XTR public key for signature appli- 
cations can be reduced by a factor of three at the cost of a small one 
time computation for the recipient of the key. Furthermore, the param- 
eter set-up for an XTR system can be simplified because the trace of 
a proper subgroup generator can, with very high probability, be com- 
puted directly, thus avoiding the probabilistic approach from [4]. These 
non-trivial extensions further enhance the practical potential of XTR. 

1 Introduction 

In [1] it was shown that conjugates of elements of a subgroup of GF(p 6 )* of order 
dividing </> 6 (p) = p 2 — p + 1 can be represented using 2 log 2 (p) bits, as opposed 
to the 6 log 2 (pj bits that would be required for their traditional representation. 
In [4] an improved version of the method from [1] was introduced that achieves 
the same communication advantage at a much lower computational cost. The 
resulting representation method is referred to as XTR, which stands for Efficient 
and Compact Subgroup Trace Representation. As shown in [4] , solving the XTR 
version of a particular discrete logarithm related problem is equivalent to solving 
the same problem in its traditional GF(p 6 ) setting, which is as hard as solving 
the problem in the full multiplicative group GF(p 6 )*. 

It is argued in [4] that XTR is an excellent alternative to either RSA or 
Elliptic Curve Cryptosystems using random curves over prime fields (ECC), 
because it combines most of the advantages of RSA and ECC without having 
any of their disadvantages. More specifically, it is shown in [4] that, with the 
exception of signature applications, XTR keys are much smaller than RSA keys 
of equivalent security, and at most twice as big as ECC keys. Furthermore, 
parameter and key selection for XTR is very fast compared to RSA, and thus 
much faster than ECC. Finally, for almost all cryptographic applications XTR is 
faster than ECC when random curves over prime fields are used; the exception 
is signature verification where ECC is slightly faster than XTR. 

In this paper we describe three improvements to XTR. We present a careful 
analysis of Scipione del Ferro’s classical method to solve cubic equations. As a 
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result we are able to reduce the XTR public key size for signature applications 
by a factor of three if the field characteristic is not equal to 8 modulo 9. Because 
that is not unduly restrictive, it follows that XTR public keys are at most twice 
as long as ECC public keys for all applications of XTR. This is, in our opinion, 
an important enhancement of XTR. As a side result we get a method to find 
the trace of a proper subgroup generator that is 50% faster than the method 
presented in [4]. Finally, we give a much faster deterministic method for the 
same problem that works only if the characteristic is not equal to 8 modulo 9. 
None of these two improved XTR parameter selection methods is of crucial 
importance for practical applications of XTR, but the last method in particular 
makes implementation of XTR even easier. The resulting algorithms are all very 
practical and allow easy implementation. 

In Section 2 we review XTR. In Section 3 we present Scipione del Ferro’s 
method and the resulting improved parameter selection method. An even faster 
parameter selection method is given in Section 4, and the key size reduction 
methods are given in Section 5. 


2 XTR 

In this section we review some of the results from [4]. Let p be prime and let 
F(c,X) for c € GF(p 2 ) be the polynomial X 3 - cV 2 + - 1 e GF(p 2 )[X]. 

For n £ Z we denote by c n the sum of the n th powers of the roots of F(c,X), 
i.e., if F(c, hj) = 0 for j = 0, 1, 2, then c n = tift + h™ + h 2 . Notice that c\ = c. 
It is shown in [4] that c„ € GF(p 2 ), that c_„ = c£, and that F(c„,h") = 0 
for j = 0,1,2. Furthermore, if p = 2 mod 3, then p th powering in GF(p 2 ) is 
effectively free, and c n can be computed given c = c\ in 8 log 2 (n) multiplications 
in GF ip) using a Fibonacci-like recurrence relation (cf. [4]). The values c n _i and 
c n+ \ are obtained at no extra cost as a side result of the computation of c n . 

It is shown in [4] that if F(c,X) is irreducible, then the roots of F(c,X) 
take the form h,h p , h p for some h £ GF(p 6 ) of order dividing p 2 — p + 1 and 
> 3. This implies that in these circumstances c n is of the form Tr(h n ), where 
Tr(y) = y + y p2 + y pi £ GF(p 2 ) is the trace over GF(p 2 ) of y £ GF(p 6 ), i.e., the 
sum of the conjugates over GF(p 2 ) of y. The trace over GF(p 2 ) is GF(p 2 )-linear. 
Vice versa, it is shown that the minimal polynomial of any h £ GF(p 6 ) of order 
dividing p 2 —p+ 1 and > 3 is equal to F(Tr(h),X), illustrating the fundamental 
idea of XTR that for such h the trace value fully specifies h’s minimal polynomial, 
and thus the conjugates of h. 

Let g £ GF(p 6 ) have order q for a prime q > 3 dividing p 2 — p + 1. It follows 
from the results cited above that Tr(g n ) £ GF(p 2 ) and F(Tr(g n ),g n ) = 0 for 
any n. Furthermore, if p = 2 mod 3 then Tr(g n ) can be computed given Tr(g ) 
in 81og 2 (n) multiplications in GF (p) , which is almost three times faster than 
computing g n from g using traditional exponentiation methods. Thus, in XTR 
we replace powers of g by their traces, thereby saving a factor of three both in 
storage and in computing time. Note that an actual representation of g is not 
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required, and that it suffices to have its trace Tr(g). Given Tr(g), the order q 
subgroup generated by (the unknown) g is called the XTR group. 

XTR parameter selection is the problem of finding primes p and q such that 
q divides p 2 — p + 1, q > 3, p = 2 mod 3, and p = 3 mod 4, and the trace 
Tr(g ) of a generator of the XTR group. The primes p and q of appropriate sizes 
can be found using either of the two methods given in [4]. To find a proper 
Tr{g) it suffices to find c e GF(p 2 ) \ GF(p) such that F(c,X) e GF(p 2 )[X] is 
irreducible, such that C( p 2 _ p+1 y q ^ 3, and to put Tr(g ) = C( p 2 _ p+1 y q (cf. [4]). 
The probability that C( p 2 _ p+1 y q = 3 if F(c,X) is irreducible is only 1/q, so 
usually the first irreducible F(c,X) works. In Section 3 we describe a fast way 
to test F(c,X) for irreducibility (assuming a randomly selected c G GF(p 2 )), 
and in Section 4 we show how irreducible polynomials of the form F(c,X) can 
be written down directly if p ^ 8 mod 9. 

The ability to quickly compute Tr(g n ) given Tr(g ) suffices for efficient im- 
plementation of many cryptographic protocols. But in some cryptographic ap- 
plications, most notably verification of digital signatures and authentication re- 
sponses, values of the form Tr(g a+kb ) have to be computed, for a, b e Z, given 
Tr(g ) and Tr(g k ) for some secret integer k (the private key). It is shown in [4] 
that computation of Tr(g a+kb ) can efficiently be done if additionally Tr(g k ~ 1 ) 
and Tr(g k+1 ) are known. Thus, whereas for many applications the XTR pub- 
lic key data consist of just p, q, Tr(g), and Tr(g k ) (for unknown k), in some 
applications Tr(g k ~ 1 ) and Tr(g k+1 ) must be included in the XTR public key 
data as well. This considerably increases the transmission overhead for the XTR 
public key data. In Section 4 we show how this problem can be dealt with. First 
we show that Tr(g k ~ 1 ) (or Tr(g k+1 )) can easily be determined as a function of 
Tr(g), Tr(g k ) and Tr(g k+1 ) (or Tr(g k ~ 1 )). And next we show how Tr(g k+1 ) (or 
Tr(g k ~ 1 )) can be quickly computed based on just Tr(g ) and Tr(g k ), assuming 
that p ^ 8 mod 9. Both methods impose very mild restrictions on the choice of 
the private key k and have no negative impact on the security of XTR. 

3 Finding a Root of a Cubic Equation 

We describe Scipione del Ferro’s classical method (cf. [6] , page 559) to compute 
the roots of a third-degree equation in its full generality, after which we apply 
it to test the third-degree polynomial F(c,X) e GF(p 2 )[X] as in Section 2 for 
irreducibility. 

Algorithm 3.1 (Scipione del Ferro, ~1465-1526) To find the roots of the 
third-degree polynomial f(X) = aX 3 + bX 2 + dX + e in a field of characteristic 
p unequal to 2 or 3, perform the following steps. 

1. Compute the polynomial f(X — 6/ (3a)) /a = X 3 + f\X + f 0 with /i = 
(3 ad - 6 2 )/(3o 2 ) and / 0 = (27a 2 e - 9abd + 2b 3 )/(27a 3 ). 

2. Compute the discriminant A = /q + 4/f /27 of the polynomial X 2 + f 0 X — 
f 3 / 27, and compute its roots = (—fo ± \fA)/2. 

3. If rq = r 2 = 0, then let u = v = 0. Otherwise, let rq ^ 0, compute a cube 
root u of rq, and let v = — /i/(3u). Note that v is a cube root of ■ 
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4. The roots of /(X) are u+v— b/(3a), u-w+vw 2 — b/(3a), and uw 2 +vw— b/(3a), 
where w £ GF(p 2 ) is a non-trivial cube root of unity, i.e., w 3 = 1 and 
w 2 + w + 1 = 0. 


Theorem 3.2 Let f(X) £ GF(p 2 )[A”] be such that A as in Step 2 of Algorithm 
3.1 is in GF(p). The following four statements are equivalent. 

1. f(X) is reducible overG¥{p 2 ). 

2. f (X) has a root in GF(p 2 ). 

3. f (X) has three roots in GF(p 2 ). 

4- The roots n and r 2 as in Step 2 of Algorithm 3.1 are cubes in GF(p 2 ). 

Proof. 1 2 and 3 => 2 are trivial. We prove 2 <£■ 4 and 4 => 3. 

‘4 => 2’. If there is a u in GF(p 2 ) such that u 3 = n, then u — fi/(3u) — b/ (3a) 
is a root of f(X) in GF(p 2 ) (cf. Step 4 of Algorithm 3.1). 

‘2 => 4’. If f(X) has a root in GF(p 2 ), then there is a cube root u of ri such 
that u+v— b/(3a) £ GF(p 2 ), with v = —fi/(3u), so that u+v is in GF(p 2 ). Since 
also uv = — /i/3 is in GF(p 2 ), it follows that u £ GF(p 4 ). On the other hand, 
ri,r2 £ GF(p 2 ) because A £ GF(p). Since u 3 = n it follows that u £ GF(p 6 ). 
From u £ GF(p 4 ) f) GF(p 6 ) it follows that u £ GF(p 2 ) so that ri is a cube in 
GF(p 2 ). It follows from r 2 = (— /i/(3'u)) 3 that r 2 is a cube in GF(p 2 ) as well. 

‘4 => 3’. If u — /i/(3u) — b/(3a) is a root of f(X) with u in GF(p 2 ) then 
uw — fiw 2 /(3u) — b/(3a) and uw 2 — fiw/(3u) — b/(3a), with w £ GF(p 2 ) as in 
Step 4 of Algorithm 3.1, are the two other roots of f(X) (cf. Step 4 of Algorithm 
3.1), and all three roots are in GF (p 2 ). 

Lemma 3.3 For any c £ GF(p 2 ) the discriminant A as in Step 2 of Algorithm 
3.1 of f(X) = F(c , X) is in GF(p). 

Proof. It follows from a straightforward computation that A = 1 — 2c p+1 /3 — 
c 2p+ 2/27 + 4(c 3 + c 3 p)/ 27. This implies that A p = A so that A £ GF(p). 

Corollary 3.4 The polynomial F(c,X) £ GF(p 2 )[W] is reducible over GF(p 2 ) 
if and only if the n from Step 2 of an application of Algorithm 3.1 to f(X) = 
F(c, X) is a cube in GF(p 2 ). 

Proof. Immediate from Lemma 3.3 and Theorem 3.2. 

An element x £ GF (p 2 ) is a cube if and only if x (p -1 )/ 3 = 1, which is the case 
if and only if x p<J>+1 ^ 3 = aA'+b/ 3 . Thus, testing if an element of GF(p 2 ) is a 
cube can be done at the cost of a (p + 1) /3 th powering in GF(p 2 ) followed by a 
p th powering (which is free in GF(p 2 ), cf. Section 2). 

Algorithm 3.5 (Irreducibility test) To decide if F(c,X) £ GF(p 2 )[X] is ir- 
reducible over GF(p 2 ), perform the following steps. 

1. Compute F(c, X + c/3) = X 3 + /,X + /„ £ GF(p 2 )[W] with /, = c" - c 2 / 3 
and f 0 = (-27 + 9 c p+1 - 2c 3 ) /27 (cf. p y 2 3). 
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2. If A — /o + 4 f 3 /27 G GF(p) (cf. p / 3) is a quadratic non-residue in GF(p) 
then F(c,X) is reducible (cf. Lemma 3.6). 

3. Otherwise, compute a root n G GF (p 2 ) (cf. Corollary 3.4) of X -2 + foX — 
(/i/3) 3 : n = (-/o + VA)/2 (cf. p ± 2). 

4. Compute y = r-| p+1) ^ 3 G GF(p 2 ), then F(c,X) is irreducible 4=> y ± y p . 

Lemma 3.6 The discriminant A as in Step 2 of Algorithm 3.5 is a quadratic 
residue in GF(p) if and only if either F(c , X) is irreducible in GF(p 2 )[X| or all 
roots in GF(p 2 ) of F(c,X) have order dividing p+ 1. 

Proof. According to Algorithm 3.1 the roots ho, hi, h^ in GF(p 6 ) of F(c, X) e 
GF(p 2 )[W] can be written as u + v + y, ua + va 2 + y, and ua 2 + va + y with 
u and v as in Algorithm 3.1, y some element of GF(p 2 ), and a as in Section 4. 
Without loss of generality we have that ho = u + v + y, hi = ua + va 2 + y, and 
/12 = ua 2 + va + y. Multiplying the three identities by 1, a 2 , and a, respectively, 
we get 

ho = u + v + y, a 2 hi =u + va + ya 2 , ah?, = u + va 2 + ya. 

Adding these identities and using that a 2 + a + 1 = 0 we find that u = U/3 
where U = ho + a 2 hi + a/12. 

According to Algorithm 3.1 we have that U 3 / 27 = u 3 = rq where rq = 
(— fo + \fA)/ 2 and fo = (—27 + 9 c p+1 — 2c 3 )/27 (cf. Algorithm 3.5). Since 
(—27 + 9c p+1 )/27 G GF(p) we have that \J~A e GF (p) if and only if U 3 — c? G 
GF(p). With C3 = Tr(g 3 ) = c 3 — 3c p+1 + 3 (cf. Corollary 2.3. 5 . i and ii in [4]) 
and c p+1 G GF(p) this is the case if and only if U 3 — Tr(g 3 ) G GF(p). With 
Tr(g 3 ) = ho + h 3 + h 3 it follows from a straightforward computation that 

U 3 — Tr(g 3 ) = 3 (/iq/i2 + h\ho + h 2 hi - 2)a + 3(/iq/ii + h\h 2 + h^ho — 2)a 2 , 

= 3(ho/hi + /11//12 + hi/ho — 2)cr + 3(/io//i2 + hi/ho + h%/hi — 2)cc 2 . 
where the last identity follows from ho/ii/12 = 1. According to Lemma 2.3.2 . iv 
in [4] we have that F(c,hJ p ) = 0 for j = 0,1,2. Thus either hj = h~ p for 
j = 0, 1, 2 (i.e., all roots have order dividing p + 1), or ho = h$ p , hi = hf p , and 
h 2 = hf p , or hj = hj p x mod 3 for j = 0, 1, 2. According to Lemma 2.3.2 . vi in [4], 
the last case is equivalent with F(c, X) being irreducible in G¥{p 2 )[X\. We prove 
that U 3 — Tr(g 3 ) G GF(p) if and only if the first or the last case applies. 

Let w = ho/hi + /11//12 + /12/ho and z = ho/h 2 + hi/ho + /i2/hi- If the first 
or the last case applies, then w p = z so that (U 3 — Tr(g 3 )) p = U 3 — Tr(g 3 ), and 
thus U 3 — Tr(g 3 ) G GF(p). If the second case applies, then w p = w and z p = z 
so that w,z G GF(p). Now, if additionally U 3 — Tr(g 3 ) G GF(p) then w = z so 
that the polynomial X 3 — wX 2 + zX — 1 = X 3 — wX 2 + wX — 1 has 1 as a root. 
As this polynomial has root-set {ho/hi,hi/h 2 ,h 2 /ho}, it follows that hi = I 12 , 
or one of hi, /12 is equal to ho- As the order of ho divides p + 1 by assumption, 
it follows in each case that the same is true for hi and h.2- That is, the first case 
applies (and we are in the situation that both the first and second case applies). 
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Theorem 3.7 Finding the trace of a generator of the XTR group can be done in 
an expected number ^j-(7.21og 2 (p) + 81og 2 ((p 2 — p+l)/q)) plus a small constant 
number of multiplications in GF(p). 

Proof. The correctness of Algorithm 3.5 follows from Corollary 3.4 and Lemma 
3.6. Because A is a quadratic residue in GF(p) if F(c,X) is irreducible (cf. Ap- 
pendix A) Step 3 of Algorithm 3.5 takes a ((p + l)/4) th powering in GF (p) (cf. 
p = 3 mod 4). Assuming that a squaring in GF(p) takes 80% of the time of 
a multiplication (cf. [2]), Step 3 of Algorithm 3.5 can be expected to require 
1.3 log 2 (p) multiplications in GF (p ) . Step 4 of Algorithm 3.5 takes an expected 
log 2 (p) squarings and 0.5 log 2 (p) multiplications in GF(p 2 ), for an expected total 
of 3.51og 2 (p) multiplications in GF(p) (cf. Lemma 2.1.1 in [4]). Thus the total 
expected cost of Steps 3 and 4 of Algorithm 3.5 is 4.81og 2 (p) multiplications 
in GF(p). According to Lemma 3.2.1 in [4] the probability that F(c,X) is ir- 
reducible for a random c G GF(p 2 ) is about one third. Furthermore, it can be 
proved along the lines of the proof of the same lemma that for a random c the 
A as in Step 2 of Algorithm 3.5 is a quadratic non-residue with probability 1/2. 
The theorem now follows with Section 2 and the fact that the cost of the Jacobi 
sum test to test the quadratic residuosity of A is bounded by a small constant 
number of multiplications in GF(p). 

Remark 3.8 It follows that a proper Tr(g) can be found more than 50% faster 
than described in [4]. Theorem 3.7 is however just a side result of a more impor- 
tant consequence of Scipione del Ferro’s method, namely the key size reduction 
method presented in Section 5. Before we can present that method we need some 
other results that also lead to yet another, even faster, way to find Tr(g). 

4 Improved Parameter Selection if p =£ 8 mod 9 

In this section we prove that if p ^ 8 mod 9 (but p = 2 mod 3), then an irre- 
ducible F(c,X) G GF(p 2 )[A] can be written down directly. This follows from 
a general argument shown to us by H.W. Lenstra, Jr., that applies even to the 
characteristic zero case. We present a simplified description that applies just to 
non-zero characteristics. 

So far we have considered p = 2 mod 3, because this implies that the poly- 
nomial ( X 3 -1)/(I-1)=I 2 +I + 16 GF(p)[X] is irreducible over GF (p) 
and {a, a 2 } with a 2 + a + 1 = 0 forms an optimal normal basis for GF(p 2 ) over 
GF(p). As shown in [4] this leads to a very efficient and convenient representa- 
tion of GF(p 2 ) in which p th powering is free. Here we restrict the choice of p to 
p = 2 mod 9 or p = 5 mod 9, i.e., p = 2 mod 3 but p ^ 8 mod 9. For these p 
the polynomial (Z 9 — 1)/(Z 3 — 1) = Z 6 + Z 3 + 1 G GF(p)[Z] is irreducible over 
GF(p), as follows from the well known result that the t th cyclotomic polynomial 
(j>t{Z) is irreducible over GF(p) if GF(t)* is cyclic and generated by p mod t. 
The multiplicative group GF(t)* is cyclic if and only if either t = 2,4, or t is 
a power of an odd prime, or t is twice a power of an odd prime, or t is four 
times the power of an odd prime that is 2 mod 3. Applying this to t = 9 and 
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p = 2,5 mod 9 it follows that 0g(Z) = Z e + Z 3 + 1 G GF (p) [Z] is irreducible 
over GF(p). 

Let C denote a zero of Z 6 +Z 3 + l. This C enables us to conveniently represent 
elements of GF(p 6 ), either using a basis over GF (p) or using a basis over GF(p 2 ). 
For the purposes of the present section we use a basis over GF(p) and write 
elements of GF(p 6 ) as £ 3 = o a iC for a % S GF(p). In this representation elements 
of the subfield GF(p 2 ) of GF(p 6 ) correspond to elements of the form 03 <j 3 + 
oo; this follows from 3p 2 = 3 mod 9 and a counting argument. The element 
£•=0 diC can be written as (a 5 C 6 + o 2 C 3 )C _1 + ( fl 4C 6 + a iC 3 )C -2 + (°3C 6 + 
aoC 3 )C -3 - Since ( 3 = a with a as above this implies that {C _1 , <j -2 , C -3 } forms 
a basis for GF(p 6 ) over GF(p 2 ), using the representation of GF(p 2 ) as used in [4]. 
Obviously, the latter basis is equivalent to the basis {C 2 ,C> 1} which we found 
convenient for implementation purposes. This basis simply leads to squaring 
and multiplication in GF(p 6 ) at the cost of 12 and 18 multiplications in GF(p), 
respectively. Note that one can move back and forth between the representations 
of GF(p 6 ) at the cost of a small constant number of additions in GF(p). 

None of the above bases is optimal normal. For the calculations in this section 
that is not a problem, since they had to be carried out just once. For practical 
applications of XTR it is not a disadvantage either, because in the key recovery 
application (cf. Section 5) at most three multiplications in GF(p 6 ) have to be 
carried out per XTR key recovery. Note that if p mod 7 generates GF(7)* the 
polynomial ( X 7 — f)/(X — 1) is irreducible over GF(p) and leads to an optimal 
normal basis for GF(p 6 ) over GF (p) (cf. [3]). We chose not to use this repre- 
sentation because it imposes an additional restriction on p without leading to 
significant advantages. 

Lemma 4.1 The trace over GF(p 2 ) o/£ 3 =0 oqC* £ GF(p 6 ) equals 3(a3C 3 +ao) = 
3(030: + oo) = — 3aoo 2 + 3(03 — oo)a G GF(p 2 ). 

Proof. Because the trace is GF(p 2 )-linear it suffices to show that the trace of 
( l is zero for i = 1, 2, 4, 5 and 3£* for i = 0,3. This follows trivially from (j 9 = 1, 
C 6 + C 3 + 1 = 0) and the fact that the trace of equals ( l + Q lp + ( rp ■ 

Lemma 4.2 For x G GF(p 6 ) the trace over GF(p 2 ) of x p equals the p th power 
of the trace of x over GF(p 2 ). 

Proof. The trace over GF (p 2 ) of x p equals x p +x p + x p which is the p th power 
of the trace x + x p +x p of x over GF(p 2 ). 

A particularly convenient property of our representation of GF(p 6 ) is that it 
enables us to do several calculations without using the specific value of p. The 
following result is an example. 

Proposition 4.3 Let a G GF(p), let Q and a = C, 3 be as above, and let Q = 
( p 6 — l)/(p 2 — p + 1). Then the trace over GF(p 2 ) of the element (C + a) Q of 
GF(p 6 ) of order dividing p 2 — p + 1 equals 
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^ — q 3 + ((a 2 - l) 3 a + a 3 (a 3 - 3a + l)a 2 ) 

if p = 2 mod 9 and i/te p th power thereof if p= 5 mod 9, where a 6 — a 3 + 1^0. 

Proof. If a 6 — a 3 + 1 = 0, then b = a 3 is a zero in GF (p) of the sixth cyclotomic 
polynomial X 2 — X+l. It follows that b e = 1. With 6 23-1 = - 1 and gcd(p— 1, 6) = 2 
we find that b 2 = 1 so that b = ±1. But neither +1 nor —1 is a zero of X 2 — X+l, 
and we conclude that a 6 — a 3 + 1 ^ 0. 

From Q = (p 6 — l)/(p 2 — p + 1) = p 4 + p 3 — p — 1 it follows that 

(r _i_ a )Q _ (C + a ) p (C + a ) p _ ( C p + a ) (C p + a ) 

(C + a) p (C + a ) (C p + a )(C + «) 

With C 9 = 1 this reduces to 

(C 7 + «)(C 8 + a ) 

(C 2 + a)(C + a) 

if p = 2 mod 9 and to 

(C 4 + a)(C 8 + a ) 

(C 5 + a)(C + a) 

if p = 5 mod 9. If p = 5 mod 9 the p th power of the former expression equals the 
latter, so that if p = 5 mod 9 the trace of (£ + a)® equals the p th power of the 
trace of (£ + a)® when p = 2 mod 9 (cf. Lemma 4.2). For the computation of the 
trace of (( + a)® when p = 2 mod 9 one easily verifies that 

a6 ~^ a +1 = (a 3 - C 3 - 1)(C 2 ~< + a 2 ) 

and that 

— £2 a — = _a C 5 + (« 3 - 1)C 4 + fl2 C 3 - a 4 C 2 - C + a 5 - 

With C 6 + C 3 + 1 = 0 the trace of 

(C 7 + a)( C 8 + a) 

(C 2 + °)(C + a ) 

then follows from a straightforward computation and Lemma 4.1. 

Corollary 4.4 If a ^ 0, ±1 then 

a 6 3 + 1 ((° 2 “ 1 ) 3 « + - 3a + 1 )« 2 ) e GF (P 2 ) 

is the trace over GF(p 2 ) of an element of GF(p 6 ) of order dividing p 2 — p + 1 
and > 3. 
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Proof. If p = 2 mod 9 it follows from Proposition 4.3 that there is an x G 
GF(p 6 )* of order dividing p 2 — p + 1 with the required trace over GF(p 2 ). If 
p = 5 mod 9 it follows in the same way, after taking conjugates over GF(p) and 
using Lemma 4.2. If the order of x is at most 3, i.e., 1 or 3, then x is either equal 
to 1, a , or a 2 , since p = 2 mod 3. Thus, the trace of x is equal to 3, 3a, or 3a 2 . For 
the first possibility, x = 1, a trace value of 3 leads to two simultaneous polynomial 
equations (a 2 — l) 3 — (a 6 — a 3 + 1) = 0 and a 3 (a 3 — 3a + 1) — ( a 6 — a 3 + 1) = 0; 
since these polynomials are relatively prime, x cannot be equal to 1. For the 
other two possibilities, x = a or x = a 2 , the corresponding trace values lead to 
a = 0 or a = ±1, respectively, which are excluded by assumption. 

It follows from Corollary 4.4 with a = 2 and a = 1/2 that (— 27a — 24a 2 )/19 and 
(27a + 3a 2 )/19, respectively, are trace values of elements of GF(p 6 )* of order 
dividing p 2 —p + 1 and > 3. This leads to the following algorithm to find Tr(g). 

Algorithm 4.5 (Computation of Tr(g)) 

1. Let c = (27a + 3a 2 )/19 e GF(p 2 ) and compute (cf. Section 2). 

2. If C( p 2 _ p+1 y q 7^ 3, then let Tr(g) = C( p 2_ p+1 )/ 9 and return success. 

3. Otherwise, if C( p 2 _ p+1 y q = 3, then replace c by (—27a — 24a 2 )/19 e GF(p 2 ) 
and recompute C( p 2 _ p+1 y q . 

4. If C( p 2_ p+1 )/ 9 7^ 3, then let Tr{g) = C( p 2 _ p+1 y q and return success. 

5. Otherwise, if Cy 2 _ p+1 y q = 3, then return failure. 

The probability of failure of Algorithm 4.5 may be expected to be q ~ 2 , i.e., 
negligibly small. If this is a matter of concern, Algorithm 4.5 can trivially be 
extended and include more ‘hard-wired’ choices for c (corresponding to a ^ 
0, ±1,2, 1/2). In the very unlikely event that Algorithm 4.5 fails, which so far 
has not happened in our test implementation, a different q and p can be selected. 
On average one may expect that Algorithm 4.5 finds the trace of a generator of 
the XTR group in about 8 log 2 ( (p 2 — p + 1 )/q) plus a small constant number 
of multiplications in GF(p). This is almost twice as fast as the method based 
on Algorithm 3.5 (cf. Theorem 3.7), but Algorithm 4.5 applies only to the case 
p ^ 8 mod 9. 

5 Key Size Reduction 

In this section we show that Tr(g k+1 ) and Tr(g k ~ 1 ) can be derived from Tr(g) 
and Tr(g k ), assuming the (unknown) private key k is properly chosen. Through- 
out this section let c = Tr(g) and c n = Tr(g n ) for n e Z. We first show that 
Cfc_i (or Cfc + i) follows directly from c, c*, and Ck + i (or Ck-i) using surprisingly 
simple formulas. 

Theorem 5.1 

1. If k p,l — p mod q then c p Ck~i — cck 7^ 0 and 

c?(c 2 - 3c p ) - c?_ 1 (c 2p - 3c) - ei ,e ± c?(c p - c 2 ) ± CkCk- ic p+1 


Cfc+l = 


c p c k - 1 - CCk 
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2. If k ^ —p, p—1 mod q then cc k +i — c p c k ^ 0 and 

c£(c 2p - 3c) - c£ +1 (c 2 - 3c p ) - cl +1 c p + c\(c - c 2p ) + CfcCfc+ic p+1 

c k—l = • 

CCfe+i - C p C k 

Proof. From Corollary 2.3.5. ii in [4] it follows that (?Ck - i — cck = Tr(g k ~ 2 ) — 
Tr(g k+1 ). Thus c p c *;_ i — cck can only be zero if Tr(g k ~ 2 ) = Tr(g k+1 ), which 
implies that g k ~ 2 and g k+1 are conjugates. Thus, either k — 2 = k + 1 mod (p 2 — 
p+ 1), or k— 2 = p 2 (k+ 1) mod (p 2 —p+l), k — 2 = p 4 (k+ 1) mod (p 2 —p+ 1). The 
first equation has no solution, the second one leads to k = p mod (p 2 — p + 1), 
and the third one to k = 1 — p mod (p 2 — p + 1). Since k p, 1 — p mod q and q 
divides p 2 — p + 1 we find that c p c k -i — cck is non-zero. 

The polynomial F(c,X) is the characteristic polynomial of the matrix A = 

/°° 1 \ 

I 1 0 —c p I (cf. Definition 2.4.1 in [4]). That is, the roots g, g p 1 , and g p of 
\0 1 c ) 

F(c, X ) are the eigenvalues of A. Thus g k , g k(p and g kp are the eigenvalues 
of the matrix A k , so that the polynomial F(ck,X) with roots g k , g k{,> 'h and 
g~ kp is the characteristic polynomial of A k . From Lemma 2.4.6 in [4] we have 
that 

/ Tr{g 2 ) p c p 3 \~ l ( Tr{g k ~ 2 ) c k - r c k \ 

A k = l c p 3 c c fc _i c fc c fc+ i 

\ 3 c Tr(g 2 ) ) \ c k c k + i Tr(g k+2 ) ) 

Computing the characteristic polynomial of A k using this expression, combined 
with the fact that Tr(g k ~ 2 ) = c k + i - cc k + c p c k - i, Tr(g k+2 ) = cc k +i - c p c k + 
Ck - 1 and Tr(g 2 ) = c 2 — 2 c p (cf. Corollary 2.3. 5. ii and i in [4]), one obtains a 
polynomial A 3 — c k A 2 + /iA + /o with 

D/i = {c 2p - 3 c)c 2 k+1 + (3<f Ck - 9c*_i + 2c 2 Cfc + (f +1 c k - 1 - c 2p+1 cfc)cfc+i 


—3(f Cfc_i +9cfc +c 3p Cfc + c 3 Cfc +c 2 Cfc_i +3ccfcCfc_i -c p+2 CfcCfc_i + 2c 2p CfcCfc_i - 7c? +1 c k . 

Here D = c 2p+2 + 18c p+1 - 4 (c 3p + c 3 ) - 27 € GF(p) as in Lemma 2.4.4 of [4] 
and D ^ 0 (cf. Lemma 2.4.5 in [4]). Since also /i = c^ we find that 

c 2 fc +1 = (c 2p - 3c)- 1 ((-3c p cfc + 9cfc_i - 2c 2 Cfc - c?~ l c k , + c 2p+1 cfc)cfc+i - Dc% 

Cfc_! — 9c 2 — c 3p Cfc — c 3 Cfc — c 2 c 2 _! — 3ccfcCfc_i +c p+2 CfcCfc_i — 2c 2p CfcCfc_i +7c p+1 Cfc). 

Note that c 2p — 3c = c p Tr(g~ 1 ) — cTr( 1), which is non-zero based on the same 
argument why c p c k - i — cc k is non-zero. 

Repeating the same argument for the matrix A k ~ l and its characteristic 
polynomial F(c k -i,X) (and using Corollary 2.3.5. ii of [4] to express Tr(g k ~ 3 ) 
in terms of c, c k , c k + i, and c k - i) we obtain another expression for c 2 . +1 : 
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4+i = (c 2 - 3c p ) _1 (2c 3 c fe - 3cc k -i - c? +2 Ck-i + 9 c k + &c 2p c k -i - 7 <f +1 c k )c k+1 
— -DCfc-i — ° 2Pc k — ° 4 4 + 4c p+1 4_| •jtr6d > c k c k - 1 — 6cc| + 4c p+2 c| 
-c 3 4_! + c 2 c k c k - 1 - Ac 2p+1 c k c k - ! - 9Cfc_! + # f3 CfcCfc-l). 

Here c 2 — 3c p is non-zero because its conjugate c 2p — 3c over GF(p) is non-zero. 
Subtraction of the two expressions for c 2 k+1 followed by multiplication by c 2p — 3c 
and c 2 — 3c p and division by D, leads to the formula for c k +i- 

For a proof of the second formula, we apply the first one replacing c k , c k+ \ 
and c fc -i by d- k = Tr(g~ k ), d- k+1 = Tr(g~ k+1 ), and d_ fc _ i = Tr( 5 " fc_1 ), 
respectively. The proof then follows by observing that c J k _ 1 = Tr(g~ k+1 ) = 
d- k+ 1 , c£ = Tr(g~ k ) = d- k and c^ +1 = Tr{g~ k ~ x ) = d- k - 1 (since c p n = c_„, 
cf. Section 2) and by taking the conjugate over GF(p). 

Because p th powering is free in GF(p 2 ), computation of the formulas in Theo- 
rem 5.1 takes only a small constant number of operations in GF(p), where the 
following algorithm can be used for the division. 

Algorithm 5.2 (Inversion in GF(p 2 )) Let x = x\a + x^oi 1 G GF(p 2 ). Com- 
pute t = {x\X 2 + {x\ — X 2 ) 2 ) -1 G GF(p), then 1/x = t{x^a + x\a 2 ) G GF(p 2 ). 

Theorem 5.1 shows that including both c k -\ and c k+ i in the XTR public key 
is never necessary, and that c k+ \ (or c+_i) suffices (assuming of course that 
c and Cfc are part of the public key). Actually, even c k+ 1 (or c k -i) does in 
principle not have to be included, because the recipient can determine it by 
finding the roots of F(c,X ) and F(c k ,X), leading to 3 possible representations 
Cfe+i (cfe_i). Thus, two bits in the public key would suffice to indicate which of 
the three representations is the correct one, but this would come at the cost of 
a considerable computation for the recipient of the key. 

We now show that if p ^ 8 mod 9 then the results from Sections 3 and 
4 can be used to formulate a fast method to compute c k+ 1 given c and c k 
(where, of course, k is unknown) that does not require any additional bits in 
the public key. The method to compute c k -\ given c and c k is very similar and 
follows easily from the method for Cfc+i. Roughly speaking the method works as 
suggested above, namely by computing explicit representations of g and g k in 
GF(p 6 ) = GF(p)[X]/(X 6 -|-X 3 -|-l) (cf. Section 4) based on their representations 
c and Cfc, respectively, so that the value of c k+ 1 follows as the trace over GF(p 2 ) 
of g * g k G GF(p 6 ). 

More precisely, the owner of the private key k computes c k = Tr(g k ) given 
c = Tr(g) and k. The same c k is obtained for kp 2 mod q and kp 4 mod q since 
g k , g kp , and g kp are conjugates over GF(p 2 ) and thus have the same trace over 
GF(p 2 ), namely q. As a side result of the computation of c k , the owner of the 
private key obtains c k+ 1 = Tr(g k+1 ) (cf. Section 2). However, the value c k+ \ 
thus obtained is in general not the same as the value that would be obtained 
for kp 2 mod q or kp A mod q, because Tr(g k+1 ), Tr(g kp2+1 ), and Tr(g kpi+1 ) are 
not the same unless k = 0 mod q, despite the fact that Tr(g k ), Tr(g kp ), and 
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Tr(g kp ) are the same. This is because g k+1 , g kp +1 , and g kp +1 are not conju- 
gates over GF(p 2 * ) unless k = 0 mod q, despite the fact that g k , g kp , and g kp 
are conjugates over GF(p 2 ). It follows that for any pair (c, c k ) there are three 
possible different values for c k+ p. one that corresponds to the proper secret value 
k, and two that correspond to the ‘wrong’ values kp 2 mod q and kp 4 mod q 
Any method to recover Ck+i from ( c,c k ) will have to resolve this ambiguity. 
To do this without requiring additional bits in the public key we do the following. 
The owner of the private key computes not only Tr(g k+1 ), but Tr(g kp +1 ) and 
Tr(g kp +1 ) as well. Next he selects the secret key k as k, kp 2 mod q, or kp 4 mod q 
depending on which of the three values Tr(g k+1 ), Tr(g kp2+1 ), Tr(g kpi+1 ) is the 
‘smallest’ (or ‘largest’) 1 . It follows that Ck+i is the ‘smallest’ possibility given 
the pair (c,c k ). Obviously this way of changing an initially selected private key 
value k does not have a negative impact on the security. 

How this method enables the recipient of the pair (c, c k ) to compute the 
proper c k+ \ without knowing k is described in Algorithm 5.6 below. We first 
describe how the owner of the private key computes Tr(g k+1 ), Tr(g kp +1 ), and 
Tr(g kp +1 ). A conceptually straightforward method would be for the owner of 
the private key to compute c m three times, once for m = k itself, once for 
m = kp 2 mod q, and once for m = kp 4 mod q, and to pick the k correspond- 
ing to the smallest c m+ 1 (the three c TO ’s are the same, as noted above). A 
more complicated but faster method is as follows. Suppose that (c k -i,c k ,c k+ i) 
and (c-p-i,c- p ,c- p+ i) have been computed, at the cost of 161og 2 (g) multi- 
plications in GF (p) (cf. Section 2). The values Ck ± 2 can then easily be ob- 
tained and C 2 = c 2 — 2 c p (cf. [4]). To compute Tr(g kp +1 ) we observe that 
Tr(g kp2+1 ) = Tr(g kp2 ~ p3 ) = Tr(g^~^ p2 ) = Tr(g k ~ p ). We then use Lemmas 
2.4.2 and 2.4.5 from [4] and find that 

/ Tr(g k ~ p ~ 1 ) \ T / C—p—i \ T /cfc p 3\ -1 / c k -2 c k - 1 c k \ 
Tr(g k ~ p ) = \ c-p c p 3 c c k - 1 c k c k+1 , 

\Tr(g k ~ p+1 ) J \c-p +1 J \3 c c 2 J \ c k c k+1 c k+2 ) 

so that Tr(g kp +1 ) follows after a small constant number of multiplications in 
GF(p). A similar matrix identity involving (c p _i , c p . c p+ 1 ) (obtained using c_„ = 
c p , cf. Section 2) is used to compute Tr(g kp2 ~ 1 ) = Tr(g k+P ). Given (Tr(g kp2 ~ 1 ), 
Tr(g kp2 ),Tr(g kp2+1 )) (with Tr(g kp2 ) = c k ) and (c_ p _i, c_ p , c_|,^i), the same 
method is then used to compute Tr(g kp +1 ). 

The corresponding method to compute the ‘smallest’ c k+ 1 given just (c,c k ) 
but without knowing the secret k relies on Algorithm 3.1, Scipione del Ferro’s 
method. We need two auxiliary algorithms, the correctness of which follows by 
inspection (cf. [Lemma 2.1.1] in [4]). 

1 For x € GF(p) let tto(x) € (0, 1, ... ,p — 1} be the image of * under the ‘natural’ 

bijection between GF(p) and (0, 1, ... ,p — 1}. For x = ana + 12 a 2 £ GF(p 2 ), using 

the representation of elements of GF(p 2 ) from [4], let tt(x) = ~o(xi)-rp*~o(x->)- We 

use the ordering on GF(p 2 ) induced by 7r. 
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Algorithm 5.3 (Exponentiation in GF(p 2 )) Let x £ GF(p 2 ) and let e be an 
integer. To compute x e £ GF(p 2 ) do the following. 

1. Compute eo, ei e {0, 1, ... ,p — 1} such that eo + e\p = e mod (p 2 — 1) and 
let e i = Ylj e ij2 J , with ey £ (0, 1} for i = 0, 1 and j > 0, be the binary 
representations of eo and ei. 

2. Let n be the largest index such that e*„ ^ 0 for i = 0 or 1. 

3. Compute x' = x * x p £ GF(p). 

4. Let y = 1 in GF(p 2 ). For j = n, n — 1, . . . , 0 in succession do the following: 

— if eoj = 1 and ey = 1, then replace y by y * x': 

— if eoj = 1 and ey = 0, then replace y by y * x: 

— if eoj = 0 and ey = 1, then replace y by y * x p : 

-if j > 0, then replace y by y 2 . 

5. Return y = x e £ GF(p 2 ). 


Lemma 5.4 The expected cost of Algorithm 5.3 is 41og 2 (p) multiplications in 
GF (p). 

Algorithm 5.5 (Cube root in GF(p 2 ) if p ^ 8 mod 9) To compute a cube 
root in GF(p 6 ) of r £ GF(p 2 ) perform the following steps. 

1. Use Algorithm 5.3 to compute t = r ( 8 P 2 - 5 )/ 9 g GF(p 2 ) if p = 2 mod 9 or 
t = r^ 2 + 2 )/ 9 e GF(p 2 ) if p = 5 mod 9. 

2. Compute s = t 3 £ GF(p 2 ) and determine j = 0, 1 or 2 such that cA s = r. 

3. Return a cube root QH £ GF(p 6 ) of r (the result is in GF(p 2 ) if j = 0). 


Algorithm 5.6 (Key recovery) To compute the ‘smallest’ Cfc+i correspond- 
ing to (c, Cfc), perform the following steps. 

1. Use Algorithm 3.1 to compute a root g £ GF(p 6 ) = GF(p)[X]/(X 6 + A' 3 -|-l) 
of the polynomial F(c,X), using Algorithm 5.5 to compute a cube root in 
Step 3. Note that Algorithm 5.2 can be used for the division by u in Step 3, 
since u is a GF(p 2 )-multiple of a power of £. 

2. Use Algorithm 3.1 to compute the three roots yi,y 2 ,V 3 € GF(p 6 ) of F(ck,X), 
with w = a in Step 4. 

3. For i = 1, 2,3 compute the trace t, over GF(p 2 ) of gyi £ GF(p 6 ) (cf. Lemma 
4.1). 

4. Let Cfc+i be the ‘smallest’ of ti, t 2 , and t- A . 


Theorem 5.7 Algorithm 5.6 can he expected to require 10.6 log 2 ip) multiplica- 
tions in GF(p). 

Proof. The square-root computation in Step 2 of Algorithm 3.1 can be expected 
to require 1.3 log 2 (p) multiplications in GF (p) (cf. Proof of Theorem 3.7). The 
application of Algorithm 5.5 in Step 3 of Algorithm 3.1 requires a call to Algo- 
rithm 5.3, at an expected cost of 4 log 2 (p) multiplications in GF (p) (cf. Lemma 
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5.4). Thus, a single call to Algorithm 3.1 can be expected to require 5.3 log 2 (p) 
multiplications in GF(p), from which the proof follows. 

We conclude that Tr(g k ~ x ) and Tr(g k+1 ) do not have to be included in the 
XTR public key data ( p,q,Tr(g),Tr(g k )) for digital signature or authentication 
applications, if 

1 . the owner of the private key has selected its private exponent k in the proper 
fashion as explained above, and if 

2. the recipient of the public key is willing and able to perform Algorithm 5.6 
to compute Tr(g k+1 ) followed by an application of Theorem 5.1 to compute 
Tr{g k ~ 1 ). 

To summarize, there are three options for XTR public keys used for digital 
signatures or authentication, namely to include one, two, or all three of the values 
Tr(g k ~ x ), Tr(g k ), Tr(g k+1 ). In some applications, e.g. issuance of a certificate 
by a Certificate Authority, it may be required that the relative correctness of 
these components can be verified by a third party. A method to do this will be 
published at a later date (cf. [5]). 

Acknowledgment. The method from Section 4 is based on a more general 
argument from H.W. Lenstra, Jr. We gratefully acknowledge his assistance. 
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Abstract. In this work we investigate the difficulty of the discrete loga- 
rithm problem in class groups of imaginary quadratic orders. In particu- 
lar, we discuss several strategies to compute discrete logarithms in those 
class groups. Based on heuristic reasoning, we give advice for selecting 
the cryptographic parameter, i.e. the discriminant, such that cryptosys- 
tems based on class groups of imaginary quadratic orders would offer a 
similar security as commonly used cryptosystems. 


1 Introduction 

Cryptosystems based on class groups of imaginary quadratic orders (IQC) have 
been first proposed by Buchmann and Williams [3,4] in 1988 and 1990. Since 
then, there was no clear advice on how to select the cryptographic parameter, 
i.e. the discriminant of the quadratic order. The goal of this work is to close 
this gap. In particular, we demonstrate how large A must be selected such that 
computing logarithms in Cl(A) is as hard as factoring an integer n of given size. 
We consider several strategies for computing discrete logarithms in class groups, 
such as reductions to other computational problems, index-calculus algorithms, 
Pollard’s A algorithm, and the Pohlig-Hellman algorithm in connection with an 
algorithm similar to the ( p — l)-factoring method. We obtain the result that, in 
order to get the same security with IQC as with RSA with 1024 bit moduli, the 
discriminant should have at least 687 bits. 

The security of IQC is based on the apparent difficulty of computing discrete 
logarithms in class groups of imaginary quadratic orders (Cl-DLP). The Cl-DLP 
can be extended to class groups of orders of number fields with arbitrarily high 
degree, and in furthermore, there is a generalization of the discrete logarithm 
problem [2] . However, in this work we shall focus only on imaginary quadratic 
fields, and whenever the term “class groups” appears in the sequel, we actually 
mean class groups of imaginary quadratic orders. 

It is well known that solving the Cl-DLP is at least as hard as solving the 
integer factorization problem (IFP); we shall describe the reduction later in this 
work. However, it is still unknown whether the Cl-DLP is really harder than the 
IFP. The Cl-DLP can be solved with a subexponential index-calculus algorithm 
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due to Hafner and McCurley [11]. This algorithm was improved by Diillmann 
[9]. Recently, in [30] it has been rigorously proven under the Generalized Rie- 
mann Hypothesis that for solving the Cl-DLP using index-calculus algorithms 
one can expect a running time proportional to L\ A \ [|, |\/2 + o(l)] where A 
is the discriminant of the imaginary quadratic order. Moreover, Jacobson [16] 
has applied the ideas of the MPQS to class group computations. In fact, the 
machinery behind his algorithm is the same as that of the original MPQS, and 
although this algorithm has not been analyzed, empirical data suggest a running 
time proportional to L\ A \ [|, 1 + o(l)] . 

The best known algorithm to solve the IFP is the GNFS with asymptotic 
expected running time proportional to L n where n is the number to be 

factored; the best known algorithm to solve the GF-DLP (DLP in multiplicative 
groups of Galois fields) is a variant of the GNFS with a similar asymptotic 
expected running time where n is the order of the group. Thus, currently the 
IFP or the GF-DLP can be solved asymptotically faster than the Cl-DLP. This 
means that the Cl-DLP is apparently harder than the IFP or the GF-DLP. 

Hence class groups form another potential alternative to finite fields for DL- 
based cryptographic protocols. Unfortunately, popular signature protocols such 
as DSA can’t be used with class groups in a direct way, because DSA requires 
the knowledge of the group order. Computing the order of an arbitrary class 
group appears to be as hard as computing discrete logarithms in class groups 
because no efficient algorithm is known that computes the class number. In [22] 
a variant of the Schnorr signature scheme that doesn’t require knowledge of the 
group order has been proposed. 

Computing roots without knowing the class number also appears to be in- 
tractable. This makes the Guillou-Quisquater signature protocol [10] suitable for 
class groups, since in this protocol even the signer does not need to know the 
class number. Moreover, in [1] a variant of DSA was presented that is based on 
the intractability of computing roots in finite abelian groups. 

This paper is organized as follows: In Section 2 we recall the background we 
need, and in Section 3 we give advice for selecting the security parameters. 

2 Class Groups 

Recall that we consider class groups of imaginary quadratic fields only. We shall 
only state some necessary facts without proofs; for details we refer to [12]. Let 
A be a negative integer such that A = 0, 1 (mod 4). Then A is the discriminant 
of a unique order of Q(\/ A), namely O a = Z + Z(A + \fA)/2. O a is maximal 
if and only if A is fundamental, i.e. if A is square free in case A = 1 (mod 4) or 
if A/A is square free in case A = 0 (mod 4). 

Let O a be any (not necessarily maximal) order. The class group of O a is 
denoted by Cl (A), its elements are equivalence classes of invertible ideals of O a . 
The group order of Cl (A) is the class number h(A). Later in this work we shall 
need the odd parts of class groups. We denote the odd part of a class group 
Cl(A) by Cl 0 dd(A) and its cardinality by h odd (A). 
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Any integral ideal of Oa can be expressed as Za+ Z(6 + \fA)/2 such that 
a, b e Z, a > 0 and 4a | (b 2 — A), that is, such that there exists a positive integer 
c such that A = b 2 — 4 ac. Thus we represent ideals as pairs (a, b) of integers. 

Observe that if b = 0 or b = a, then A = — 4ac or A = a(a — 4c), respectively, 
and if a = c, then A = (b— 2a) (b + 2a). Ideals of any of these forms are called 
ambiguous, and their classes have order two in Cl (A). 

An ideal is said to be reduced if gcd(a, b, c) = 1, —a < b < a < c, and b > 0 if 
a = c. Each equivalence class of Oa contains exactly one reduced ideal. Thus the 
elements of Cl (A) can be represented by the reduced ideals of Oa, and checking 
equality of two ideal classes means comparing the representatives. The neutral 
element of Cl (A) is represented by (1 ,A mod 2). The group operation of Cl (A) 
is ideal multiplication followed by reduction (e.g. see [16] or [6, Chap. 5]). It 
can be shown that a group operation requires 0( log 2 A|) bit operations. The 
inverse of the ideal class represented by (a, b) under this operation is the ideal 
class represented by ( a,—b ). If an ideal (a, b) is reduced, then a < ^/\A\/?j, 
therefore a, |6| = 0(y/\A\). 

3 Selecting the Class Group 

In this section we shall see that the discriminant is the cryptographic parame- 
ter. We shall discuss how to select a discriminant such that, based on heuristic 
grounds, computing discrete logarithms or the order of arbitrary elements in the 
corresponding class group is intractable. In particular, 

— A must be chosen so that there is no efficient reduction of the CL-DLP to 
simpler problems, 

— | A\ must be large enough to preclude attacks with index-calculus algorithms, 

- h(A) must be large enough to preclude attacks with p or A algorithms, 

- h{A) must not be smooth in order to preclude the computation of h(A) 
by an algorithm similar to the ( p — l)-factoring algorithm with subsequent 
application of the Pohlig-Hellman algorithm. 

It is tempting to ask whether the discriminant can be chosen such that its 
class number has properties selected a priori. However, we do not have much 
control over the class number; there is not even a probabilistic efficient algorithm 
known that outputs a fundamental discriminant whose class number has certain 
interesting properties, e.g. contains a large prime factor. 

We shall show in the following subsections that if A is chosen appropriately, 
then the above conditions hold with high probability. In particular, in Sect. 3.1 
we show that selecting A = — p or A = —8 pq where p, q are primes precludes 
reductions to the GF-DLP and keeps the two-part of Cl(A) small. In Sect. 3.2 
we show how large A must be to preclude index-calculus attacks. In Sect. 3.3 
we show how large the class group must be to preclude attacks with the aid of 
Pollard’s A-method; based on the Brauer-Siegel theorem we deduce the required 
size of the discriminant. In Sect. 3.4 we describe the relevance of the Pohlig- 
Hellman algorithm for class groups and discuss a possible application on class 
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groups of smooth order in conjunction with an algorithm similar to the ( p — 1)- 
factoring method. Let a smoothness bound B be given; in Sect. 3.5, based on 
heuristic assumptions we show how A must be chosen so that the class number 
is B-smooth only with negligible probability. 

It turns out that asymptotically the selection of the discriminant size depends 
only on the index-calculus methods. Moreover, since the best known algorithm 
to compute class numbers of fundamental discriminants are again index-calculus 
methods, it is infeasible to compute the class number of fundamental discrimi- 
nants if these are large. Therefore, the Pohlig-Hellman algorithm plays no role 
for class groups of maximal orders, unless the class number is smooth, because 
then an algorithm similar to the ( p — l)-factoring algorithm can be applied to 
compute the class number. 


3.1 Class Group Computation by Reduction to Other Problems 

Let A be a negative fundamental discriminant and let / be a positive integer. 
Then, if A ± -3, -4, 

^rt=*(4)/n(i-(^)i) , (1) 

where (A/p) denotes the Kronecker symbol. For instance, h(— 8) = 1 and 
h(—8p 2 ) = p — (—8/p). Since in general it is intractable to compute class num- 
bers of large fundamental discriminants (see below), this could be a nice way to 
avoid such computations altogether and yet know the class number. 

However, the Cl-DLP in Cl(—8p 2 ) can be reduced in polynomial time to the 
GF-DLP in F p [14]. Currently no similar efficient reductions for maximal orders 
are known. Therefore we shall use only class groups of maximal orders, and in 
the sequel A will always be fundamental and thus Oa will be maximal. 


Selection of a Fundamental Discriminant In order to check whether an 
arbitrary discriminant A is fundamental, it must be checked whether A (if A = 
1 (mod 4)) or A/ 4 (if A = 0 (mod 4)) is square free. This can be achieved 
by factoring the discriminant, but this is infeasible if the discriminant under 
consideration is large. A better method is to construct D from distinct prime 
factors, and set A = — D if D = 3 (mod 4) and A = —4 D otherwise. 

Some of the simplest cases are 

1 . A = —p where p = 3 (mod 4) is prime; and 

2. A = —8 pq where p and q are primes such that p = 1 (mod 8), p + q = 8 
(mod 16), and (p/q) = — 1, where (p/q) denotes the Legendre symbol. 

Discriminants selected like this have the additional advantage that the two-part 
of the class number is known to be small: In case 1, h(A) is odd; in case 2, the 
even part of h(A) is exactly 8 (see [17, Proposition B' 9 ]). 
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Observe that A = —8pq is attractive by a complexity theoretic argument, be- 
cause if A is composite, then Cl (A) has non-trivial ambiguous elements, whose 
components lead immediately to a factorization of A; these ambiguous elements 
can be obtained by computing discrete logarithms in Cl (A) [25], therefore IFP 
< Cl-DLP. This means that if A is chosen like this and p and q are not dis- 
closed, then solving the Cl-DLP for A is at least as hard as breaking IFP-based 
cryptosystems such as RSA with modulus pq. 


3.2 Class Group Computations by Index- Calculus Techniques 

Let L x [e,c] be defined as usual, that is 


L x [e, c] = f exp (c(loga;) e (logloga;) 1 e ) (2) 


for real positive x, real positive c, and 0 < e < 1. In practice, instead of the term 
L x [e,c] we often see L x [e,c + o(l)], but in the sequel we shall ignore the o(l) 
term. 

We want to compare the expected computational work for solving the IFP 
and the Cl-DLP. In the following, we assume the expected running time for 
factoring an integer n by the GNFS to be proportional to L n . For the 

Cl-DLP, index-calculus algorithms with an expected running time proportional 
to L\a\ [|, §\/2] have been presented in [30]. However, Jacobson [16] showed that 
one can use a variant of the MPQS for DL-computations in Cl(A). The MPQS 
factoring algorithm has a conjectured expected running time proportional to 
L n [i,l], while the MPQS DL-computation algorithm hasn’t been analyzed, 
yet (not even heuristically). Empirical data suggests an expected running time 
of L\a\ [5,1], so we shall base our arguments on this running time. In terms of 
security and efficiency, this will yield slightly larger keys: If we underestimate the 
running time of the Cl-MPQS, we overestimate the size of the security relevant 
parameters. This conservative approach is quite common practice. 

The usual approach to estimate running times of an algorithm for large input 
parameters is to start from the empirical running time for smaller input parame- 
ters. If x\ and X ‘2 are inputs for an algorithm with expected running time L x [e, c] 
and t\ is the running time of the algorithm when executed with x\, then the 
running time 1 2 of the algorithm with input X 2 can be estimated by the equation 


L Xl [e, c] _ ti 
L X2 [e, c] t 2 


(3) 


(cf. [21] or [18]). However, this holds only if the sizes of Xi and X 2 do not differ 
too much; otherwise it can’t be ignored that o(l) — > 0. Thus, if X 2 is much larger 
than xi, then G will be a significant overestimate. (For more precise estimates 
taking into account the o(l) term, see [13]. We stick to (3) since the estimates 
presented here differ only slightly from those given in [13].) 

Table 1 shows some extrapolated running times for the GNFS. They are based 
on data points of the factorization of RSA-155 (155 decimal digits, 512 bits) with 
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Table 1 . Estimated expected computational work of the GNFS for larger inputs 


magnitude of 

expected no. of MIPS-years 
to factor n 

2 512 

8.00 x 10 3 

2 768 

4.91 x 10 7 

2 1024 

5.99 x 10 10 

2 1280 

2.68 x 10 13 

2 1536 

5.97 x 10 15 

2 1792 

7.91 x 10 17 

2 2048 

6.98 x 10 19 

2 2560 

2.16 x 10 23 

2 3072 

2.64 x 10 26 

2 3584 

1.63 x 10 29 

2 4096 

5.87 x 10 31 


the GNFS [28]. In particular, it was estimated that about 8000 MIPS-years were 
spent. 

To estimate the expected running time of the MPQS for DL-computations in 
class groups for large groups, we made extensive experiments where we computed 
discrete logarithms in 20 class groups of different negative discriminants for each 
magnitude tabulated below. The computations were carried out on a Sparc with 
Ultra-170 processor using Jacobson’s MPQS implementation, which is part of 
the C++ library LiDIA [19]. The results are summarized in Table 2. 

Table 2 supports the conjectured running time of L\a\ [|, l] for the MPQS. 
Note also that the standard deviation is almost always about half the running 
time. This shows that the running times are pretty spread, which in turn confirms 
our suspicions of taking just a single sample. 

SUN Microsystems does not publish MIPS ratings for its machines, and in 
fact, the unit MIPS-year is actually not appropriate [27]. However, it is widely 
used, so for simplicity we assume 100 MIPS, which is a value of reasonable order 
of magnitude for the machine that we used. By Table 2 let us assume that 
L\a\ l] ft a = 1-8 x 10 7 sec -1 . Then we obtain the extrapolations in Table 3. 

When we align the parameters of the IFP and of the Cl-DLP in such a 
way that the expected running time for solving the Cl-DLP roughly equals the 
expected running time for solving the IFP for n of some particular magnitudes, 
we arrive at Table 4. 


3.3 Class Group Computations by Pollard’s A Method 

We now consider Pollard’s A method for computing discrete logarithms, orders 
of group elements and hence roots of group elements. From [2 9] it is known that 
the unparallelized version of this algorithm takes ^-k\G\/2 group operations 
(ignoring lower order terms) for cyclic groups G. Moreover, r-fold parallelization 
speeds up the A-method by factor r. 
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Table 2. Empirical computational work of the Cl-MPQS for relatively small 
inputs 


magnitude of 

14 

mean running time (sec) 

tl 

standard 

deviation 

L \*\ ( sec J ) 

2 140 

8.59 x 10 1 

3.58 x 10 1 

1.65 x 10 7 

2 142 

1.29 x 10 2 

8.66 x 10 1 

1.31 x 10 7 

2 144 

1.36 x 10 2 

5.32 x 10 1 

1.50 x 10 7 

2 146 

1.32 x 10 2 

3.87 x 10 1 

1.85 x 10 7 

2 148 

1.98 x 10 2 

6.98 x 10 1 

1.47 x 10 7 

2 160 

2.20 x 10 2 

1.38 x 10 2 

1.59 x 10 7 

2 152 

2.63 x 10 2 

1.44 x 10 2 

1.59 x 10 7 

2 154 

3.26 x 10 2 

1.82 x 10 2 

1.53 x 10 7 

2 156 

3.52 x 10 2 

1.64 x 10 2 

1.69 x 10 7 

2 158 

4.90 x 10 2 

3.28 x 10 2 

1.44 x 10 7 

2 160 

4.41 x 10 2 

1.98 x 10 2 

1.90 x 10 7 

2 162 

7.67 x 10 2 

4.21 x 10 2 

1.30 x 10 7 

2 164 

6.84 x 10 2 

2.20 x 10 2 

1.73 x 10 7 

2 166 

8.79 x 10 2 

3.22 x 10 2 

1.60 x 10 7 

2 168 

1.07 x 10 3 

4.12 x 10 2 

1.56 x 10 7 

2 170 

1.49 x 10 3 

8.25 x 10 2 

1.33 x 10 7 

2 172 

1.74 x 10 3 

8.99 x 10 2 

1.34 x 10 7 

2 174 

1.54 x 10 3 

9.83 x 10 2 

1.79 x 10 7 

2 176 

1.61 x 10 3 

8.45 x 10 2 

2.03 x 10 7 

2 178 

2.77 x 10 3 

1.37 x 10 3 

1.39 x 10 7 

2 180 

2.73 x 10 3 

1.39 x 10 3 

1.67 x 10 7 

2 184 

3.37 x 10 3 

1.82 x 10 3 

1.87 x 10 7 

2 188 

4.07 x 10 3 

1.95 x 10 3 

2.14 x 10 7 

2 192 

5.96 x 10 3 

2.86 x 10 3 

2.02 x 10 7 

2 196 

9.23 x 10 3 

3.80 x 10 3 

1.79 x 10 7 

2 200 

1.30 x 10 4 

5.13 x 10 3 

1.74 x 10 7 

2 21 ° 

2.63 x 10 4 

8.49 x 10 3 

1.87 x 10 7 

2 220 

6.28 x 10 4 

3.78 x 10 4 

1.68 x 10 7 


By the heuristics of Cohen and Lenstra [7,8], the probability that C7 0 dd(^) 

is cyclic is 0.9775 Moreover, it can be deduced from the heuristics that if 

C? 0 dd (A) is not cyclic, then with high probability C7 0 dd (A) has a cyclic subgroup 
Gcy C such that G' cyc is of nearly the same order of magnitude as h 0 M(A), and 
therefore, by our selection of A, the even part is 1 or 8 and thus G cyc and h(A) 
have nearly the same order of magnitude. 

In order to provide a lower bound for A we need an (asymptotic) lower 
bound for h(A) that depends on A only. The best proven explicit lower bound 
is h(A) > l/551n |/1| ^1 — [6, Sect. 5.10.1], which is too weak for 

our purposes. By the Brauer-Siegel Theorem we know that In h(A) ~ In \/\A\ 
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Table 3. Estimated expected computational work of the Cl-MPQS for larger 
inputs 


magnitude of 
1^1 

expected no. of MIPS-years 
for solving the Cl-DLP in a (A) 

2 256 

2.58 

2 348 

9.75 x 10 3 

2 512 

1.18 x 10 7 

2 640 

6.74 x 10 9 

2 788 

2.24 x 10 12 

2 896 

4.94 x 10 14 

2 1°24 

7.79 x 10 16 

2 128° 

8.90 x 10 2 ° 

2 1536 

4.56 x 10 24 

2 1792 

1.26 x 10 28 

2 2048 

2.13 x 10 31 

2 2560 

1.92 x 10 37 

2 3°72 

5.30 x 10 42 

2 3584 

5.88 x 10 47 

2 4096 

3.15 x 10 62 


Table 4. Estimated expected computational work of the GNFS for factoring 
integers and the Cl-MPQS for computing discrete logarithms in class groups 
aligned 


magn 

itude of 

1^1 

expected no. 

of MIPS-years 

2 788 

2 540 

4.99 

x 10 7 

2 1°24 

2 687 

6.01 

x 10 10 

2 1536 

2 958 

5.95 

x 10 15 

2 2048 

2 1208 

7.05 

x 10 19 

2 3072 

2 1665 

2.65 

x 10 26 

2 4096 

2 2084 

5.87 

x 10 31 


as A — > — oo, that is, y/\A\ € < h{A) < y/\A\ + for any positive real e and 

sufficiently large A, but no explicit constants are known to make this statement 
effective. However, if one assumes the Extended Riemann Hypothesis, then it is 
possible to show [20] that 


h(A) > ci 


(i + o(i))vPT 
log log I A I 


(4) 


for A / —3, —4 where ci = 7r/(12e 7 ) « 0.147. Moreover, it is possible to show 
that h(A) is on average C 2 ^/\A\ where C 2 = 0.461559 ... [6, Sect. 5.10.1]. This 
result has been proven for averages taken over class numbers of fundamental dis- 
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Table 5. Estimated expected computational work of the A-method 


magi 

h(A) 

litude of 

1^1 

expected no. of Group operations 
V*h(A )/ 2 

expected no. of MIPS-years 

2 108 

2 218 

2 54 

4.56 x 10 7 

2 129 

2 260 

2 64 

6.60 x 10 10 

2 162 

2 326 

2 81 

6.12 x 10 15 

2 189 

2 380 

2 94 

7.09 x 10 19 

2 233 

2 468 

2 116 

2.97 x 10 26 

2 268 

2 538 

2 134 

5.51 x 10 31 


criminants. In this work we make the assumption that this result is not affected 
by the restriction to the special discriminants given in section 3.1. 

Example The time to perform a single group operation in Cl (A) depends on A, 
yet let us assume a fixed time of 1 ms on a machine with a computing power of 
100 MIPS. Then the computational work of a single MIPS-year is equivalent to 
about 2 28 23 group operations. Based on this assumption and on the assumed 
average for the class number of a prime discriminant, in Table 5 we present some 
samples for (prime) discriminants, their average class number, and the expected 
computing amount for computing discrete logarithms by the A-method. 


3.4 Class Group Computations and the Pohlig-Hellman Algorithm 

The Pohlig-Hellman algorithm utilizes the prime factorization of the group order 
in order to simplify DL computations. However, the best known algorithm for 
computing the class number is a variant of MPQS for DL computations in class 
groups and has heuristically the same expected asymptotic running time as the 
original MPQS. Thus, if \A\ is large, it is infeasible to compute h(A) or even 
odd multiples or factors (in particular the smooth part) of h(A). Moreover, 
there is no efficient method known that checks whether a particular odd prime 
divides h(A). Consequently, the Pohlig-Hellman algorithm is not applicable to 
class groups in general. There are also cryptographic protocols (e.g. the Guillou- 
Quisquater signature protocol) that depend explicitly on the fact that the group 
order is unknown. 

We now consider the special case when h(A) is smooth. If the class number 
is smooth, then it is possible to compute the order of an arbitrary element by a 
method similar to the (p— l)-factoring algorithm. That is, given 7 e Cl(A), set 
ao = 7 and successively compute a* = afl 1 for all p, : < B, where p, is the 
ith prime, B is a smoothness bound, and e(pi,B) depends only on p, and B. 
For instance, if e(pi, B) = log p . B for each p, , then the algorithm will cover each 
possible prime power below the smoothness bound. A similar method is used in 
the factoring algorithm of Schnorr and Lenstra [25] . 
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If h(A) is B-srnootli, then this computation may yield lci(A)- If this happens, 
then there is an i such that oq = 1 ci(£) but a*- 1 / 1 ci(A), and we immediately 
know that Pi is the largest prime factor of or <\ C i,(A) 7 - If we set 7 ' = j Pi 

where e(p,) is the smallest positive integer such that a%Li = 1 ci(A) and repeat 
the complete procedure with 7', then we obtain the second largest prime factor, 
and eventually we get the complete prime factorization of ordc;(zi) 7- Then we 
are able to compute roots as well as discrete logarithms in (7) by applying the 
Pohlig-Hellman algorithm. 

Assume that the ( p — l)-like method above succeeds for an element 7 and 
a bound B, and let q denote the largest prime factor of ord CT (^) 7. It is obvi- 
ous that if we use a fast exponentiation method, then we have to perform at 
least J2p< q e (p- B) l°g2 P group operations to find q. In order to find a smooth- 
ness bound, we must consider the easiest case, i.e. e(pi,B) = 1 for all Pi. Now 
Sp< 9 l°g 2 P = 6{q)/ In 2, where 9 is the Chebyshev ^-function. In [24] it has 
been shown that 0.998684 a; < 0(x) < 1.001102 a; for all x > 1319007 (un- 
der assumption of the Riemann hypothesis, it is even possible to show that 
\9{x) — a: | = 1/(8tt)^/x In 2 x for x > 599, cf. [26]). Therefore, to find q we have to 
perform about q/ In 2 group operations. (Note that we get the same result even 
in the case e(p», q) = log P4 q, because Y. p<q lo g 2 Pi k>g Pi q « tt ( q) log 2 q w q/ In 2 
as q — * 00, where n (q) denotes the number of primes up to q.) In Sect. 3.5, we 
will use this result to determine lower bounds for the required size of A. 

Example We use part of the example from the previous section, namely, that 2 64 
group operations require about 6 x 10 10 MIPS-years (similar to the computational 
work to factor a 1024 bit integer with the aid of the GNFS). If we assume that 
this amount of work is infeasible, then it is safe to select a 64 bit smoothness 
bound. At the end of the next section we will see that a smaller smoothness 
bound is sufficient. 


3.5 The Smoothness Probability of Class Numbers 

The estimates in this section are based on the heuristics of Cohen and Lenstra 
[7,8], although our derivation is not rigorous at all. A more rigorous derivation 
should be done as in [8] ; this is work in progress, and we shall present the results 
in a future work. In this work we compare class numbers and ordinary integers 
with respect to smoothness, and we argue that under reasonable assumptions the 
probability to get a smooth class number of a random fundamental discriminant 
is not much larger than the probability that a random integer is smooth. 

Consider the set of all negative fundamental discriminants A such that | A\ < 
N for some bound N. Based on the heuristics of Cohen and Lenstra we assume 
that, given an odd prime p much smaller than N and a positive integer i, the 
proportion of such discriminants satisfying p 1 \ h{A) (or the “probability” that 
p l | h(A)) is at most 1/p' 1 + l/p l+1 = (1 + 1 /p)/p l - The conjectures of Cohen and 
Lenstra [8] predict that for N — > 00, the probability that p \ h(A) converges to 
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-nH) 


11111 1 

p p^ p ^ p* p^2 p^5 


(5) 


Our assumption for i > 2 is accordance with computational experiments [5] . 

We cannot use similar heuristics for primes that are not small compared to 
N. However, we know by the Brauer-Siegel theorem that In h{A) ~ In ^/|Z\| for 
A—y—oo, thus class numbers are usually not small themselves. 

Which power of 2 divides h(A) depends on the factorization of A. As dis- 
cussed in section 3.1, we will restrict to special discriminants in order to control 
the two-part of h(A). In extension to the heuristics of Cohen and Lenstra, we 
assume that such restrictions do not affect the probabilities discussed above. 

For x uniformly chosen from a sufficiently large interval of integers, the prob- 
ability that p* | x is only about 1/p*. Comparing this with the above estimates 
for class numbers, we obtain 


Pr (p* | h(A)) 1 

Pr (p i | x) p 


(6) 


for small odd primes, which suggests that it must be expected to occur more 
frequently for negative fundamental discriminants to have smooth class numbers 
than for uniformly chosen integers to be smooth. We will now argue, however, 
that this increase in smoothness does not imply that a significant proportion of 
class numbers will be smooth. 

Let k be any odd smooth integer. We write k as rip|fc P ep<k> ■ If k is not so large 
that k | h(A') is actually impossible, then k will have only a few different prime 
factors. Thus, it is conceivable that the probabilities discussed above will be 
reasonably close to being statistically independent over the different p dividing 
k. Under this presumption, we obtain 


Pr (fc I h(A)) = n p | fc P r (p ep(fc) I h(A)) , U djf 

Pr (* i ®) ripifc pr ( p eAk) i *) ~~ ' pJ k 


(7) 


We now want to estimate the maximum value that this product can take for k 
not exceeding the order of y/\A\ (as suggested by the Brauer-Siegel Theorem). 
In order to reach the maximum, k obviously must be of the form k = \\ p<t P, 
i.e. the product of the smallest primes up to some bound. We have ri p <t P ~ e * 
as t tends to infinity (e.g. see [23, Chap. 12]), i.e. t ~ lnfc « In a/|A|; and thus 
we estimate the maximum for T/ as 

n( i +J}<* n (i+iW*vw. (8) 

*><‘ v P <in^AT v PJ 


where the latter approximation can be seen as follows: (1 + 1/p) = (1 - l/p 2 )/(l - 
1/p), and n p<t (l ~ 1/p) = e _7 /lnt + 0(l/ln 2 t) (Mertens’ theorem, cf. [23, 
Chap. 12]), while n p ( 1 f 1 /P 2 ) = !/C(2) = 6/tt 2 , thus rip<t( 1 + 1 M ~ 
6e 7 /7T 2 In t w 1.08 In t as t tends to infinity. 
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Now if we choose \A\ so large that random integers of the expected order of 
h(A) are smooth only with probability close to 0, then the modest maximum 
size of Fk indicates that the tendency of the class number towards having small 
factors does not mean it will be smooth with non-negligible probability. 

Specifically, let B = M 1 /'"; then the probability that a random positive 
integer less than M is B-smooth is approximately p(u), where p is Dickmann’s 
p-function [15]. We arrive at an estimated probability of at most p(u) In In M 
for the class number being B-smooth by requiring M « ^(A) 1 c \/\A\ where 
h °h(A i s either 1 or | depending on how A is chosen (Sect. 3.1) and where 
c = 0.461559 ... [6, Sect. 5.10.1]. I.e., 

\A\ » 2 2 B 2u (9) 

if h(A) is odd and 

\A\ w 2 8 B 2u (10) 

if the even part of h(A) is 8. Note that if \A\ < 2 4600 , then In In y/\A\ < 2 3 so 
that 8 p(u) is an upper bound for the probability estimate. 

Assume that an attacker applies the algorithm from the preceding section 
to class groups of random discriminants of a certain length (chosen as de- 
scribed in Sect. 3.1). Further assume that he will spend at most W max com- 
putational work for a single class group until he gives up, and that B is the 
smoothness bound for which he can succeed with this amount of work. Then 
he can expect one case of success for an investment of computational work 
W = Wmax/ Pr (h(A') is B-smooth). We will determine lower bounds for the 
size of A based on this attack scenario. 

Recall that 1 MIPS-year is approximately equivalent to about 2 29 group 
operations. Let W = 2 64 group operations which is comparable to the expected 
computational work to factor a composite 1024 bit integer by the GNFS; then 
W is currently infeasible (see the example in Sect. 3.4). Let W max = 2 42 group 
operations (corresponding to a smoothness bound of approximately 2 42 /ln2, see 
Sect. 3.4), which is comparable to the expected work to factor a 512 bit integer 
by the GNFS. Then a smoothness probability of up to 2 -22 is acceptable, thus we 
need u such that p(u) « 2 _22 /8, and this is satisfied by u = 8. Since B « 2 415 , 
the discriminant should have at least 666 bits for case 1 of Sect. 3.1 and at least 
672 bits for case 2 of Sect. 3.1 according to (9) and (10). 

If W max is larger or if a smaller smoothness probability is demanded, then the 
order of magnitude of the discriminant will increase accordingly. For instance, 
if we choose Pr ( h(A ) is B-smooth) = 2 -30 with W max (and hence B) as before, 
then u = 9.6, and thus the discriminant should have at least 799 (case 1) or 805 
(case 2) bits. 

4 Conclusion 

Based on the investigation of several strategies to solve the CL-DLP and based 
on heuristic reasoning, we have shown how to select the discriminant such that 
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the security of cryptosystems based on class groups offer a comparable security 
as commonly used cryptosystems (such as RSA). In particular, we have shown 
that the size of the discriminant asymptotically depends only on index-calculus 
algorithms (see Table 4). Thus, since index-calculus algorithms for solving the 
Cl-DLP are asymptotically much slower than index-calculus algorithms to solve 
the IFP (such as the GNFS), the discriminant can be selected smaller than an 
RSA modulus. 

In a future work we shall demonstrate the impact of this result on the effi- 
ciency and performance of IQC. As a further research project we would also like 
to replace the heuristic reasoning of Sect. 3.5 by a more rigorous reasoning. 
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Abstract. The paper shows that some of elliptic curves over finite fields 
of characteristic three of composite degree are attacked by a more effec- 
tive algorithm than Pollard’s p method. For such an elliptic curve E, we 
construct a C a b curve D on its Weil restriction in order to reduce the 
discrete logarithm problem on E to that on D. And we show that the 
genus of D is small enough so that D is attacked by a modified form of 
Gaudry’s variant for a suitable E. We also see such a weak elliptic curve 
is easily constructed. 


1 Introduction 

An elliptic curve cryptosystem(ECC) is a discrete-logarithm-based public key 
cryptosystem using the Jacobian group of an elliptic curve[9,12]. In ECC, we 
must be careful to choose an elliptic curve. Many classes of week elliptic curves 
have been found since ECC was presented [11,4,19,15,18,16,14]. 

Recently, Gaudry, Hess and Smart [7] found new week elliptic curves. They 
show that some of elliptic curves over finite fields of characteristic two of compos- 
ite degree are attacked by a more effective algorithm than Pollard’s p method. 
They construct a hyperelliptic curve H on the Weil restriction of such an elliptic 
curve E, and show that the discrete logarithm problem(DLP) on E is reduced 
to that on H. Moreover they observe that for some such E, the genus of the 
corresponding H becomes small enough for the DLP on H to be attacked by 
Gaudry’s variant [6]. 

This paper treats elliptic curves over finite fields of characteristic three of 
composite degree, and shows some of such elliptic curves are also attacked by a 
more effective algorithm than Pollard’s p method. 

We construct a C a i, curve [13,3] D on the Weil restriction of an elliptic curve 
E over a finite field of characteristic three of composite degree, and reduce the 
discrete logarithm problem(DLP) on E to that on D. Moreover, we clarify the 
condition for an elliptic curve E to correspond to a C a b curve D of small genus, as 
well as the method to construct such E. Since Gaudry’s variant is also effective 
for C ab curves with a slight modification [2], this means that some of elliptic 
curves of characteristic three of composite degree are also attacked by a more 
effective algorithm than Pollard’s p method, and that we can construct such 
weak elliptic curves effectively. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 248-258, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 



Weil Descent of Elliptic Curves 


Finite Fields of Characteristic Three 249 


2 Computation of Weil Descent 


We treat Weil descent of an elliptic curve E a 



Y 2 + Y = X 3 + aYX 

(1) 

defined ov 

er a finite field F g n of characteristic three. Here, for q = 3 d , v 

re assume 


gcd(d, n) = 1. 

(2) 


Note E a is not supersingular for nonzero a (Theorem 4.1. on [17]). 

Let ft = { u> , u> 3 , ■ ■ ■ ,u 3 } be a normal basis for | IF3. By the condition 

(2), ft is a basis also for F g » over F g . Substituting Y = y 0 u> + yiu> 3 + ■ ■ ■ + 
y n ^iuj 3 , X = xou> + Xicj 3 + ■ ■ ■ + x n -iiv 3 for the defining equation (1) of 
E a , and comparing coefficients of a/, we get n equations among 2 n variables 
{yo, • • • , y n -i,xo, ■ • ■ , x n -i}. An abelian variety A a = ]^f „ | f, E a defined by 
these n equations is called Weil restriction of E a [5]. Moreover, taking an in- 
tersection of A a and (n — 1) hyperplanes yo = y%(i = 1, . . . , n — 1), we get an 
algebraic curve C a . C a is an algebraic curve defined by n equations in (n + 1)- 
dimensional affine space. 

For an element a € F,^.. let A(a) e M n (W q ) be a regular representation of a 
with respect to ft : 

a ■ [w,w 3 , • • • ,cu 3 ] = [w,w 3 , • • • ,o; 3 ’ 1 ]-A(a). 


Using A := A(a), the defining equations for C a are given by 

! ^_i - c\y(A\\xo + A 12 x-i H h = -ciy 2 + y 

Xq - ciy(A 21 x 0 + A 22 xi H h A 2n x n - 1 ) = -a y 2 + y 

X n-1 - ay(A n ix 0 + A n2 x 1 -I b A nn x n - 1) = -Ciy 2 + y 


Here, we put y = yi(i = 0, . . . ,n — 1), and let the minimal polynomial of uj be 
T n + c\T n 1 + • • • c n . 

Putting 



(P is a matrix for a cyclic permutation), Equations (3) become 

Px 3 - ayAx = (—ciy 2 + y)e. (4) 

Here, x 3 denotes an vector gotten by cubing every components of x. 
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Regular representations A(a) ( a £ F q n ) are diagonalized simultaneously us- 
ing a matrix T with the eigenvectors for the Frobenius automorphism x x q 
as columns: 

T~ 1 A(a)T = D{a (5) 
where D(a, b,...,z) denotes a diagonal matrix with a,b, . . . ,z as diagonal ele- 
ments, and • • • , (a^ := a q ’) is a whole of elements conjugate 

to a in over F g . 

Putting 

x = Tw, (6) 

equation (4) becomes 

T-'PT^w 3 - c x yD{a <°> , a « , • • • , a^ n ~^)w = (- ay 2 + y)T~ l e, (7) 
where TA) denotes a matrix gotten by cubing every elements of T. 

Lemma 1. T~ x PTA) is a diagonal matrix overTF q n. 

Proof. For any element a £ F g n , by the definition of A, 

a ■ [co,co 3 , ■ ■ ■ ,co 3 ] = [w,o; 3 , • • • ,w 3 ’ 1 ]-A(a). 

Cubing two sides, 

The left-hand side is equal to a 3 - [w,w 3 , • • • , w 3 " 1 ]P = [w,u; 3 , • • • , a; 3 " 1 ]A(a) 3 P, 
and the right-hand side is [w, w 3 , • • • , w 3 " So, we get 

A(a) 3 = P/l(a) (3) P 

Therefore we have 

T~ 1 A(a) 3 T = T~ x P A{a)A> P _1 T = T^PTA -TAP 1 A(a) (3) T® -TAF 1 P^T. 


Thus, for any a £ F q n, 

T~ 1 A(a) 3 T ■ T -1 PTAI = j 1-1 PtAI ■ tAF 1 A(a)AlTA\ 

However, T~ 1 A(a) 3 T= TAF 1 A(a)A)TA) = P( a ( 1 ) 3 , . • . So, T^PTA) 

must be a diagonal matrix. □ 

In equation (7), putting 

D(bo,---,b n - 1 )=T~ 1 PTA) $*eF,»} (8) 

d = T -1 e, (9) 

we get defining equations of C a over F,» : 

wf-bf 1 c 1 a ( '^ywi = bf 1 d i (-ciy 2 + y) (i = 0, 1, . . . , n - 1). (10) 

We note that 6, , c \ , d, are determined only by n and d, independent from a £ F g n . 
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Example: d=5,n=4 

Let d = 5, n = 4. Let k be a root of the irreducible polynomial T 5 +T 4 +T 3 +T 2 — 
T+ 1 over F 3 . k is a primitive element of F g . Let ui be a root of the irreducible 
polynomial T 4 — T 3 + T 2 + T - 1 over F 3 (i.e. c{ = -1). 12 = {u, w 3 , w 3 ', w 3 *} 
is a normal basis of F 3 n over F3. Since d and n are prime to each other, 17 is a 
basis also for F, ( » over F g . 

For 

a = k 216 co 3 + k 95 w 2 + A, (11) 

defining equations of C a over F g n are given by 

! Wo + ( k 86 u> 3 + k 168 w 2 + k 200 u> + n 62 )yw 0 = (k 162 u> 3 + k 239 u> 2 + w + K 19 )(y 2 + y) 
wf + (k 18 W+ k 207 oj 2 + k 168 o;+ n 182 )yw 1 = (/t 142 w 3 + k 11 oj 2 + k 239 u>+ n 238 )(y 2 +y) 
wl + {k 79 u 3 + k 60 u} 2 + k 207 uj + K 85 )yw 2 = {k 121 uj 3 + k 21 u 2 + k 41 u> + K 201 )(y 2 + y) 
W 3 + {k 47 u 3 + k 200 u> 2 + k 60 uj + K 8 )yw 3 = (k 118 o; 3 + u> 2 + k 21 u> + n 220 )(y 2 + y) 

3 A Component D a of the Curve C a 

We show that the curve C a has a component D„ with small genus for a suitable 
a € Fqn. We use notations in section 2. 

Lemma 2. For an element h in a function field of C a over F g », let h q denote 
the image ofh by the Frobenius automorphism with respect to q (i.e. the generator 
of the Galois group Gal(F 9 *i(t/, xo, ■ ■ ■ , x„_i ) | F q (t/,a;o, . . . ~ Gal(F 9 n | 

Fq) ). We have 

Wq = wi,wl = w^, ■ ■ ■ ,w^_ 1 — Wo 

a (0)q . a (l) ) a (l )q = a (2) a (n-l)q _ fl (0) 

b q 0 = b 1 ,b q 1 = b 2 ,---,b q J 1 = bo 

d q = d 1 ,d q 1 = d 2 ,---,d q n _ 1 = d 0 

Proof. As a 1 ' 1 ' 1 = a q , claims for a* are obvious. In equation (5), the i-th column 
of the matrix T is gotten by taking ij-tli power of every elements of the (i — l)-th 
column of T. So, the i-th row of the matrix T _1 is gotten by taking (/-th power 
of every elements of the ( i — l)-th row of T _1 . From this, we obtain claims for 
Wi and d t . Claims for bi are also gotten from equation (8) □ 

Putting 

a, = — 6“ 1 cia^, f3i = b~ 1 di, f=—ciy 2 + y (i = 0, 1, . . . , n — 1), (12) 

defining equations (10) become 

wf + a i yw i = p i f (i = 0, 1, . . . , n — 1). (13) 


By Lemma 2, we have 


Oq = a\ ,a q = a 2 , . . . , a„_ 1 = ao, 


(14) 
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For defining equations (13), put F 0 = F g n (y, wo), F± = F g n (y, wo,Wi), • • • , F = 
F„_v= F ? n (y, u’o , W \ , • • • ,w n - 1 ). F is a function field of C a over F g n. Put 

Ii = { 7 e F,» I 7 f = S 3 + a iV S (36 £ FU)} (i = 1, . . . , n - 1 ). (15) 

Ii is a vector space over F 3 . 

Proposition 1. For i — 1, . . . , n- 1 , put J* = (a^ 9 _1) /3o, •••, Pi-i)w 3 - 

Then we have Ii 2 Ji (i = 1, . . . , n — 1). Here, for i and j with j < i, 
af^ q 1 ^/3 j £ Ii corresponds to 6 = a?*' 9 ^ w j( see equation (15)). 

Proof. Let i > j. For 7 = (^-)i = we have 

(7 Wj) 3 + a i y('yw j ) = 7 3 (w? + ^ywj) 

= af q 3 ~ 1] (w^ + ajywj) 

= R ■ f 


So, af q ' 3 1] pj £ h. □ 


Theorem 1. If Pi £ Ji holds for some i, then C a has a component 
wo + aoyw 0 = Po(~ciy 2 + y) 
wf_i + ai-xywi-! = Pi-\(—c\y 2 + y) 

Wi = 6i 

Wn - 1 = 8 n - 1 

fjgpi,...,<y n _i e Fi-x). 

Proof. Suppose 0 t £ Ji holds for some i. For j with j > i, we have Pj = pf £ 
jf C Jj by ( 14 ). So, by Proposition 1 , pj £ Ij (Vj > i). Then, by the 
definition of Ij, this means that the equation w : ) + a 3 ywj = Pjf ( j > i) for Wj 
has a root Wj = 6j already in 1. □ 

From Theorem 1 , we see that C a has a component D„ of the smaller genus 
if we choose a £ F g » such that pi £ Ji holds for the smaller i. 

Proposition 2. Suppose n is a multiple of 4. Let ui £ W q ,. be a root of the 
irreducible polynomial T 4 — T 3 + T 2 + T — 1 over F 3 , and 7 be any ( q — l)f2-th 
root of unity in F g , and 6 be a root of 6 2(1-^) = u) — uj 3 — w 9 in F q n (the root 
exists since the order of the right-hand side is a divisor of 2 (q n — l)/(q— 1)). 
Then for a = —bocf 1 po'y6, we have P2 £ J %. 
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Proof. By equation (12), we have ao = —b 0 1 cia. We will find ao such that 
a f (9 2- 1) a , _ §( 5" 1 )/! 

P2 ~ OIq PO + Q!i Pi- (16) 

By (14), we see fo = 0o ,Pi = /3q , cki = a^. So, equation (16) becomes 


Putting e = f3 0 3 , S = eao, this becomes 

^|(9 2 -1) +< 5l(9 2 -?) = 1. 


Moreover, putting z = 5^ q 1 ), this is 

Z* + Z q+1 = 1. (17) 

By condition (2), the extension F g » | F (; and the extension F 3 » | F 3 has the 
isomorphic Galois group. So, Frobenius automorphism x > x q in F g » becomes 
x 1 — ► x 3 when restricted to F 3 «. Therefore, equation (17) becomes z 4 + z 3 = 1 
over F 3 n. This has a root in F 3 » when n is a multiple of 4. For example, with 
u) as above, we can take z = uj — uj 3 — co 9 □ 

Example: d=5,n=4 

Let d = 5, n = 4. We constructed a in equation (11) using Proposition 2. In 
fact, for a in equation ( 11 ), C a has a component 



(18) 


4 C a b Model of the Component D a 

In this section, we assume that the curve C a has the following form of component 
D a (see Proposition 2): 

I wo + a o y w o = Po(~ciy 2 + y ) 
w 3 + a\yw\ = /3i(-cit / 2 + y) 

IV 2 = 72 , (19) 

where, 72 , , rf n ~i € F 1 = F g n (y, wq , W\ ) . D a has a unique point at infinity 
as a space curve in the space of y , u’o , wq . In this section, we construct a nonsin- 
gular model of the component D a by a C a b curve [13,3] over F 9 , and determines 
its genus. In the below, we call a model by a C a j, curve just as C a j, model. 
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Because D a has a singular point (at the origin), we need some tasks to 
construct its nonsingular C a b model. Theoretically, by computing the integral 
closure R of the coordinate ring R of D„ using the algorithm of Jong [8] and by 
determining functions in R with small pole numbers at P^, we can construct 
a nonsingular C a b model of D a using those functions [10]. However, we do the 
task more directly and easily as seen in Algorithm 1. 

Let vp^ ( h ) denote an order of a function h on D„ at the point P^. Since is 
totally ramified over F g n(y, m 0 ) , we see (y) = —9, vp oa (w o) = —6, vp oo (w i) = 
—6. Comparing the values of u>o and wi at P*,, we get vp^.{0fw o — /3 q wi) = 
—m, m < 6. 

By Lemma [Determination of defining equations] (pl410) in [13], we can con- 
struct a singular C mi 6,9 model of D„ over F g n using three functions /3f wo-fifi wi, 
wo, and y. In order to get a singular C m> 6,9 model R of D„ over F g , we can use 
three functions 

s := Tr((3fw 0 - fijjwi), t := Tr(to 0 ), w := y, (20) 

where, TV is a trace of an extension 

TFqn(y,w 0 ,...,w n - 1 ) = W q n(y,x 0 ,...,x n - 1 ) | W q (y,x 0 ,...,x n - 1 ). 

Note Tr(wo) = wo + wi + ■ ■ ■ + w n -\ by Lemma 2. 

We normalize the singular C a b model R as follows: 

Algorithm 1 (Normalization of a singular C a b model) 

Input: R = F g [xi, . . . ,x n ]/I: C a 1 ,..., an model 
Output: its normalization R 

J <— the radical of the ideal of singular points in R 
WHILE J ^ (1) DO 
y e Honip( J, J)\R 
n <— n+1 

x n *-y 
a„ < v Poo (y) 

R <— Fq[a;i, . . . , a :„]//; C aii ... t0 , n model constructed by x\, ... ,x n 
J <— the radical of the ideal of singular points in R 

For the method for computation of Homp( J, J) (c P), see [20] Section 2.2. 

Example: d=5,n=4 

Let d = 5, n = 4. For a = k 216 u 3 + k 95 lj 2 + k 95 u>, the component D a was given 
by equation (18). In this case, functions s,t,w in (20) are calculated as 

f s = (k 6 cP + A 2 + « 100 « + k 7 >0 + (k 190 w 3 + K 5 W 2 + K* 9 U + K 192 )wi 
l t = (k 151 w 3 + k 200 u 2 +k 195 u> + k 66 )w 0 + (k 53 w 3 + K 113 w 2 + k 221 w + K 35 ) Wl . 
[w = y 
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First, assuming m = 5, we construct a 65, 6,9 model of D„ using functions s , t, w 
(If m < 5 in fact, then we would fail in constructing the 65,6,9 model and we 
would know it) : 



This model has a single singular point at the origin, and the radical J of its 
ideal is (w, t, s). Calculating Hom(J, J), we get x := (w 2 + w)/s £ R\R. Since 
v p 00 ( x ) = —13, now we can construct a 65,6,9,13 model of D a using s,t,w, and 
x : 


I k 88 sw + k 60 s 3 + tw = 0 

k 184 sw + k 42 s 3 + k 220 sx + t 3 = 0 

w - sx + w 2 = 0 

k 6 V + k 88 sx + k 60 s 2 w -\-tx = 0 

K 33 w + K 17e sx + KS 2 W + K 137 S 4 + K 17 °S 3 t + K 203 S 2 t 2 + WX = 0 
K 110 W + « 137 S 3 + K 170 S 2 t + K 203 st 2 + K 231 SX + K 56 S 2 W + K, 192 S 4 + K 228 S 3 t 
+ K 16 s 2 t 2 + ks 2 x + k 230 s 6 + K 142 s 4 f + a; 2 = 0 

This model also has a single singular point at the origin, and the radical J of its 
ideal is (s,t, w, x). Calculating Hom(J, J), we get u := ( n 13 stw + n 13 st)/x,v := 
{K 170 stw + K 20 H 2 w + K 170 st + K 203 t 2 )/x e R\R. Since v Poo (u) = - 7 ,v Poo (v ) = 
—8, now we can construct a 65,6,7,8,9 model of D a using s, t, u,v,w : 

w 2 + s 2 v + n 198 s 2 t + k 64 s 3 + k 176 sw + w = 0 
vw + k 8 s 2 u + K 170 S 2 t = 0 
UW + K 134 S 2 t = 0 

V 2 k} 42 S 2 t~\~ K 239 S 3 -f~K 437 SW-f~KSV-f~K 449 SU~i~K 488 St-i~K 239 S 2 -f-K 429 U-f-K 49 t-f-K 48 S — 0 
UV + K 194 S 3 + K 222 SW + K 8 sv + K 95 SU + K 189 St + K 13 t = 0 
tw + k 60 s 3 + k 88 sw = 0 

u 2 + k 83 sw + k 93 sv + k 129 su + + k 37 s 2 + k 65 s = 0 

tv + k 181 sw + k 88 sv + k 124 su + K 84 st + k 153 s 2 + k 181 s = 0 

tu -\- SV -f- ft?®® su = 0 
k t 2 + K? 7 SU + K 88 st = 0 

( 21 ) 

This is a nonsingular C a b model. 

Thus, for a = k 216 uj 3 + k 95 u > 2 + k 95 u>, we succeeded in constructing a nonsin- 
gular C a b model (21) of D a . Since the gap sequence at of (21) is (1,2, 3, 4), 
we know its genus is four. 


5 The Reduction 

We constructed the C a b curve D a of genus 4 over F 9 on the Weil restriction 
A a = fljp n jp E a for the value of a given by Proposition 2. Tracing the route, 
we can construct the morphism from D„ to A a over 1F 9 easily. From the 
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definition of Weil restriction, the morphism <Z> is also the morphism from D a to 
E a over F g n. So, <P induces the morphism <P* between jacobians over F g «; 

<2>* : E a (W qn ) J Da ( F ? n). 

By taking a composition with the norm map, we get the morphism P from 
-E a (Fq>i) to j£) a (Fq); 

P = Norniffr^ | Fij o <£* : P a (F g n) Jd 0 (F 9 ), 

which reduces DLP on E a (F g n ) to DLP on Jo a (F g ). Since the genus of D u is 
4, Gaudry’s variant against Jn a (F 9 ) is more effective than Pollard’s p method 
against P a (F g n) [7,2]. 


Example: d=5,n=4 

Let d = 5, n = 4. For a = k 216 oj 3 + k 93 lu 2 + k 93 u, we constructed a nonsingular 
C ab model (21) of D a . The morphism <P from (the C a b model of) D„ to A a is 
given by 


( S,t,U,V,W ) H- » (K 55 S+K 209 t,K 223 S + K 209 t,K 193 S+K 209 t,K 55 S + K 209 t,W,W,W,w). 

As the morphism from D a to E a , <P can be written as 

. D a — * E a , 

* '■ ( s,t,u,v,w ) ((K S1 U 3 + K 202 U 2 + K 193 )S + K 20 H,W). 

For example, take a point Pi = (k 4 w 3 + k 225 w 2 + n i2 u> + /t 187 , k 187 u 3 + 
k 94 u 2 + k 197 lu + k 239 ) of the prime order 78427 on E a . Then P, is pulled back 
to Jo a (IF qn ) by <P> (In the below, an element in the jacobian of D a is expressed 
by a Groebner basis w.r.t. 65 , 6 . 7 , 8.9 order of the corresponding ideal ([1])) ; 

PC Pi) 

= ( “ 2 + 2 ( 0 f 3 y + " tof 0 " + n f )M + {k194u>3 + + ^ + k229)s 
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By taking its norm to F^-coefficients, we get the element ji in J Da {W q ) 
corresponding to Pi ; 

ji = HPi) 

= Normjr | ]Fi! (#*(Pi)) 

= (U 2 + K 2l0 U + K 7 t + K 45 S + K n , 

tu + K 106 U + K 203 t + K lm s + K 227 , 

SU + K™U + K 98 t + K 8 S + K 154 , 

f 2 + K 119 U + K 95 f+K 90 S + K 100 , 

St + K U1 U + K 13 t + K 38 S + K 70 , 

S 2 + K 13 U + K 7 H+K 6 S + K 132 , 

W + K 125 u + K 193 t+K 192 s + K 188^ 

V + K 131 U + K 135 t + K 30 S + K 56 ). 

Similarly, for the point P 2 = 45821 • Pi = ( k 188 w 3 + k 141 w 2 + k 10 uj + 
k 238 , k 3A u> 3 + k 186 cj 2 + k 234 w + k 82 ), we have 


•F(P 2 ) 



u 2 _|_ ^118, 

U + K 150 t + K 127 S + K 130 

tU + K 208 i 

!Z + /C 31 f + K 145 , 

S + K 118 , 

su _|_ k 192, 

U + K A2 t + K 27 S 

+ K 134 

t 2 + K 217 l 

L + K 17 t + K 136 .< 

^ + « 12 ,’ 

St + k 23 \ 

l + H 168 t + K 144 

+ K 6 , 

S 2 + K 229 1 

2+K 70 t+K 132 . 

5 + K 26 , 

W + K 23A U + K l8 H + K 157 

S+K 106 , 

v _|_ k 215 u 


f#-K 37 ) 


We verified that j 2 is actually equal to 45821- ji, using the addition algorithm 
in the jacobian of C a b curve [1]. 


6 The Cryptographic Implications 

We saw an example of an elliptic curve E a over a finite field of characteristics 3, 
DLP on which is reduced to DLP on C a b curve D„ of genus 4, and is attacked by 
Gaudry’s variant effectively than by Pollard’s p method. The values of a giving 
such week elliptic curves E a are obtained by Proposition 2. Proportion of such 
values of a is small. So, a randomly generated E a is safe. 

However, consider the following scenario. First we construct such a weak 
elliptic curve E a by Proposition 2. Then, we apply some isogeny against E a to 
get a new elliptic curve E' . In the almost case, E' itself cannot be attacked by 
Weil descent technique. However, since we know the isogeny, we can reduce DLP 
on E' to DLP on E a , and so we can solve DLP on E' more effectively than the 
others without the knowledge of the isogeny. 

It seems difficult to check whether the given elliptic curve is obtained as the 
image of some isogeny of such a week E a , or not. 



258 Seigo Arita 


References 

1. S. Arita, “Algorithms for computations in Jacobian group of C a b curve and their 
application to discrete-log-based public key cryptosystems,” Conference on The 
Mathematics of Public Key Cryptography, Toronto, 1999. 

2. S. Arita, “Gaudry’s variant against C a b curve,” LNCS 1751, Proceedings of PKC 
2000, pp. 58-67, Melbourne, 2000. 

3. S. Arita, “Construction of Secure C a b Curves Using Modular Curves,” ANTS VI, 
pp. 113-126, Leiden, 2000. 

4. G.Frey and H.-G.Riick, “A remark concerning m-divisibility and the discrete log- 
arithm in the divisor class group of curves”, Mathematics of Computation, 62 
(1994), 865-874. 

5. S. Galbraith and N. Smart, “A Cryptographic Application of Weil Descent,” HP 
Labs Tech. Report, HPL-1999-70 . 

6. P.Gaudry, “A variant of the Adleman-DeMarris-Huang algorithm and its appli- 
cation to small genera,” Conference on The Mathematics of Public Key Cryptog- 
raphy, Toronto, 1999. 

7. P. Gaudry, F. Hess and N. Smart, “Constructive and destructive facets of Weil 
descent on elliptic curves,” HP Labs Tech. Report, HPL- 2000-10. 

8. T. de Jong, “An algorithm for computing integral closure,” J. Symbolic Comp., 
vol. 26, no. 3, pp. 36-47, 1998. 

9. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, 
48(1987), pp. 203-209. 

10. R. Matsumoto, “Constructing Algebraic Geometry Codes on the Normalization 
of a Singular C a b Curve,” Trans, of IEICE, vol. E82-A, no. 9, 1981-1985, Sep. 
1999. 

11. A.Menezes, T.Okamoto, and S.Vanstone, “Reducing elliptic curve logarithms to 
logarithms in a finite field” , Proceedings of the 23rd Annual ACM Symposium on 
Theory of Computing, 80-89, 1991. 

12. V.S. Miller, “Use of elliptic curves in cryptography,” CRYPTO ’85(LNCS 218), 
pp. 417-426, 1986. 

13. S. Miura, “Linear Codes on Affine Algebraic Curves” , Trans, of IEICE, vol. J81-A, 
no. 10, 1398-1421, Oct. 1998. 

14. H.-G.Riick, “On the discrete logarithm in the divisor class group of curves,” Math. 
Comp., 68(226), pp.805-806, 1999. 

15. T.Satoh, K.Araki, “Fermat Quotients and the Polynomial Time Discrete Log 
Algorithm for Anomalous Elliptic Curves”, COMMENTARII MATHEMATICI 
UNIVERSITATIS SANCTI PAULI, vol. 47, No. 1, 81-92, 1998. 

16. I.A.Semaev, “Evaluation of discrete logarithms in a group of p-torsion points of 
an elliptic curves in characteristic p,” Math. Comp. 67, pp. 353-356, 1998. 

17. J.H. Silverman, “The Arithmetic of Elliptic Curves”, Springer- Verlag, 1986. 

18. P.N. Smart, “The discrete logarithm problem on elliptic curves of trace one,” J. 
Cryptology 12, 193-196 (1999). 

19. S. Uchiyama, T. Saitoh “A Note on the Discrete Logarithm Problem on Elliptic 
Curves of Trace Two,” Proc. of the 1998 Engineering Sciences Society Conference 
of IEICE, pp. 231-232. 

20. W. V. Vasconcelos, “Computational Methods in Commutative Algebra and Al- 
gebraic Geometry”, Springer, 1998. 



Construction of Hyperelliptic Curves with CM 
and Its Application to Cryptosystems 


Jinhui Chao 1 , Kazuto Matsuo 2 , Hiroto Kawashiro 3 , and Shigeo Tsujii 3 

1 Dept, of Electrical, Electronic, and Communication Engineering, 
Faculty of Science and Engineering, Chuo University, 

1-13-27 Kasuga, Bunkyo-ku, Tokyo, 112-8851 Japan 
j chaoOelect . chuo-u .ac.jp 
2 Toyo Communication Equipment Co., Ltd., 

1-1, Koyato 2, Samukawa-machi, Koza-gun, 

Kanagawa-pref., 253-0192 Japan 
matuoOtoyocom .co.jp 

3 Dept, of Information and System Engineering, 

Faculty of Science and Engineering, Chuo University, 

1-13-27 Kasuga, Bunkyo-ku, Tokyo, 112-8851 Japan 
tsujiiOise . chuo-u. ac . jp 


Abstract. Construction of secure hyperelliptic curves is of most impor- 
tant yet most difficult problem in design of cryptosystems based on the 
discrete logarithm problems on hyperelliptic curves. Presently the only 
accessible approach is to use CM curves. However, to find models of the 
CM curves is nontrivial. The popular approach uses theta functions to 
derive a projective embedding of the Jacobian varieties, which needs to 
calculate the theta functions to very high precision. As we show in this 
paper, it costs computation time of an exponential function in the dis- 
criminant of the CM field. This paper presents new algorithms to find 
explicit models of hyperelliptic curves with CM. Algorithms for CM test 
of Jacobian varieties of algebraic curves and to lift from small finite fields 
both the models and the invariants of CM curves are presented. We also 
show that the proposed algorithm for invariants lifting has complexity 
of a polynomial time in the discriminant of the CM field. 

1 Introduction 

Hyperelliptic curves and more general Jacobian varieties over finite fields have 
been used to build cryptosystems in recent years e.g. [20]. The cryptosystems 
based on these curves are recently under intensive investigation on their in- 
tegrity. The generic square-root attacks works for arbitrary Abelian groups but 
cost exponential time in general. Various “reduction” attack initiated by the 
MOV attacks [23] intended to transform the discrete logarithm problem on the 
Jacobian varieties to some simpler and easier problems, e.g. the discrete loga- 
rithm problems on the multiplicative or the additive group of the ground field. 
Such attacks are effective to certain curves with special properties [30]. Another 
generic attack, the “smooth divisor attack” [2], [24] solves the discrete logarithm 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 259-273, 2000. 
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problem on curves of large genera in subexponential time. In particular, an at- 
tack on hyperelliptic curves of genus six is reported recently [14] [11]. In spite of 
these researches, the discrete logarithm problems on generic curves with small 
genera and almost-prime orders still seemed to be at least as intractable as on 
the elliptic curves. 

Besides, cryptosystems based on Abelian varieties of genus g > 1 will have 
also shorter word-length for the same key size than the systems on elliptic 
curves, which means advantages in processing, transmission and implementa- 
tion. Moreover, since there is much richer isogenous classes of such curves than 
elliptic curves, more secure and flexible application of the cryptosystems can be 
expected. However, construction of secure hyperelliptic curves seems far more 
nontrivial than elliptic curves. 

The order-counting algorithms or Schoof’s algorithm for elliptic curves is 
extended to hyperelliptic curves, e.g. [1] shown an algorithm to calculate orders 
of Jacobians for curves of genus 2 in random polynomial time. [29] presented a 
deterministic polynomial time order-counting algorithm of 0(logp) A . However, 
it is observed that the A >exp(exp(2g + 1) ) where g is the genus of the curve [17]. 
[17] also extended Schoof’s algorithm to plane curves over algebraic number fields 
with arbitrary singularity, with cost of random polynomial time 0((logp) 5 ), 
where the 5 = (2 g + 1)°W. The present record of these kind of algorithms is by 
[3] which gave a deterministic algorithm improving [29] and cost 0((log q) ol ' !l T 
All these general order counting algorithms are still too costly to be used in 
practical calculation and seems difficult to implement. Besides, they have to 
repeat the whole order counting calculations many times until an almost prime 
Jacobian is found. In [20], the order of a Jacobian variety at small finite fields 
is counted then lift the curve by the Weil conjecture This method is very fast 
although the number of secure curves can be found seems limited. Besides, these 
curves are also subjected to attacks using large automorphism groups [11]. 

Another approach which has been pursued in recent years is to use the simple 
factors of the Jacobian varieties of a special kind of curves called modular curves 
[13] [38] [39] using analytical embedding by theta functions [25] [26]. Besides the 
computation cost for high precision expansion of these modular functions, since 
their method to count the order by the Eichler-Shimura formula is of exponen- 
tial time, it seems that Jacobian varieties can be built over finite fields with 
characteristic no more than ten digits. Considering that presently used curves 
are with genera less than or equal to four, one can only count Jacobian varieties 
with order of forty digits, still quite insufficient for cryptographic applications. A 
recent report shown a straightforward implementation of Schoof-like algorithm 
on hyperelliptic curves using Cantor’s analogue of the division polynomials of 
elliptic curves, but it can only count the Jacobian varieties with orders less than, 
again, forty digits [15]. 

A hopeful direction is to use CM curves, or the algebraic curves defined over 
algebraic number fields whose Jacobian varieties with complex multiplications. 
In fact, fast algorithms which design secure Jacobian varieties over finite field 
using CM curves have been shown in [7] [8] . These algorithms have complexity as 
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a polynomial in the characteristic of the finite ground fields [8]. The CM curves 
have nice properties to make order-counting easy and enough randomness for 
security as well. Furthermore, they have a potential advantage in implementation 
of cryptosystems. In particular, once one has an arbitrary CM curve over an 
algebraic number field, he will be able to design different secure curves or their 
Jacobian varieties over finite fields based on the same CM curve very quickly by 
changing the definition finite fields. It is then convenient in practice since when 
one wishes to update the system periodically by changing the curves he needs 
not to transmit a new curve over an insecure channel. 

Recently, [11] presents an attack on curves with large automorphism groups 
and applied it to a genus six curve with CM fields as cyclotomic fields. In fact, 
these kind of fields contain the roots of unity of order 2g + 1 where g is the 
genus. However, generic CM curves has only trivial automorphism groups so 
these curves are among very special CM curves. These CM fields were used 
simply because the order calculation of the Jacobian varieties could be easy by 
using the Jacobi sums in the cyclotomic fields[20][27][4]. Since the polynomial 
time algorithm to calculate the order of Jacobian varieties for general CM field 
is available already [7] [8], one can readily avoid such non-generic curves. 

Thus, the remain problem is how to find CM curves as fast and as many 
as possible. More concretely, to find CM curves with small genera and large 
discriminants of their CM fields. Until now, the main approach to build CM 
curves is to use theta function theory to build a projective embedding of the 
Jacobian varieties[25][26]. [33] built two CM hyperelliptic curves of genus two. 
This approach is then improved by [38] [39] [36] . In fact, the nineteen CM hyper- 
elliptic curves defined over Q are built recently in [36]. This approach however 
needs exponentially high precision computation in the theta series expansion in 
order to cope with potential approximate errors. As we shown in this paper, this 
algorithm costs exponential time in the discriminant of the CM field. 

In this paper, we present new algorithms to find explicit models of hyperel- 
liptic curves with CM. We avoid the numerical difficulty of the analytical embed- 
ding by using only algebraic manipulations on small finite fields. Both models 
and invariants of the CM curves are lifted with CRT from these finite fields. The 
algorithm 2 which lifts models of CM curves has no restriction on genera and 
shapes of definition equations of curves. In the algorithm 3, 4 which lifts invari- 
ants of CM curves, we restrict ourselves to a subfamily so that one can always 
obtain the model of the curve from their invariants. Besides, these algorithms 
can also be used to other curves of genera larger than two if an explicit definition 
of their moduli invariants is available. Being probabilistic algorithms, the CM 
tests proved to be very simple and sharp. The lifting algorithms are of determin- 
istic, and a complexity analysis shows that the invariant lifting algorithm has 
complexity of a polynomial in the discriminant of the CM field. 

This paper is organized as follows. In the chapter two, we give some notations 
and definitions. In the chapter three, we show algorithms for CM test of Jacobian 
varieties of algebraic curves. In the chapter four, an algorithm to lift from finite 
fields the models of algebraic curves with CM is presented. In the chapter five, 
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an algorithm is presented to lift the invariants of CM hyperelliptic curves. In the 
chapter six, we show a complexity analysis for both the analytical embedding 
algorithm and the invariant lifting algorithm. Finally, we show an examples to 
compare the proposed algorithm with the analytical embedding algorithm and 
also application to design a secure hyperelliptic cryptosystems. In the appendix 
we show an algorithm to find the model of a curve from its moduli invariants 
using a subfamily of curves. 

2 Preliminary 

A hyperelliptic curve over a field F of genus g is defined by 
C : Y 2 + Yh(X) = f(X ) 

with the point at infinity, where deg h < g, deg / = 2g + 1. For charF ^ 2, one 
can use the definition as 

C :Y 2 = f(X). 

A F-rational point P £ C(F ) is defined by both P = (ar, y) such that x,y £ F 
and y 2 + yh(x ) = f(x) or the point at infinity. A (Weil) divisor D on C is defined 
as a finite formal sum of form JA , m, £ Z, Pi £ C(F) . The degree of D is 
defined as deg(T>) = JA rn i ■ I 11 particular, the divisors with degree zero form a 
subgroup T>°(C) of the divisor group whose elements are algebraically equivalent 
to zero. The function field of C is consisted of {p/q},p, q £ F[u,v],q / 0 mod 
v 2 + vh(u) — /(«). The divisor of a function p/q on C is defined as JA mjPi — 
Xq n jQii here P t , Qj £ C(F) are zeros and poles of the function and m, : , rij are 
the multiplicity of the zeros and the poles. It can be shown that all the divisors 
of functions over C have degree zero and will be called as principal divisors, 
or linearly equivalent to zero. Obviously the principal divisors form a subgroup 
D l (C) of D°(C). The Jacobian variety of C is then defined as follows. 

J = V°(C)/V l (C) 

For F = F q , a P 9 -rational divisor is defined as a divisor which is fixed under 
the Galois action on F q and the group of F^-rational points J(F q ) is generated 
by irrational divisors. 

It is known that a Jacobian variety is an Abelian variety or a complete and 
nonsingular variety with the commutative addition law as an algebraic group. 
As proved by A. Weil for curves of genus g, the orders of their Jacobian varieties 
over finite fields fall in the following range. 

(. q 1 / 2 - If 9 < #J(F q ) < ( q x ' 2 + l) 29 

The Jacobian varieties of hyperelliptic curves can then be used to defined 
discrete logarithm problem as to find m £ Z given two divisors Di,D 2 £ J{F q ) 
such that Di = mD 2 - 
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We now introduce an important property of the endomorphism rings of 
Abelian varieties. Let F be an algebraic number field, A/F a (/-dimensional 
Abelian variety, Endi?A its endomorphism ring. It is known that for a simple 
Abelian variety A, EndirA is a division algebra of finite rank over Q with an 
involution x * x' such that if x 0, Tr^y q(xx') > 0. Define K = End° A := 
EndirA®^ Q. When K is isomorphic to a totally imaginary quadratic exten- 
sion of a totally real extension of Q of degree 2 g, A is called with complex 
multiplications or CM. K is called the CM field of A. It is known that ordinary 
Abelian varieties over finite fields are all CM, and any CM Abelian variety is 
isogenous to an Abelian variety over finite fields. Further details of notations are 
referred to e.g. [21], [32]. 

3 CM Tests of Jacobian Varieties 

In this section, we show an efficient algorithm to test whether the Jacobian 
variety of an algebraic curve has CM, which proves very useful in later chapters. 
This probabilistic algorithm is based on certain interesting relation between the 
reduction of an Abelian variety over an algebraic number field to a finite field 
modulo a prime ideal in the integral ring of the number field, lying over a prime 
number, and the decomposition of the principal ideal generated by the prime 
number in the integral ring of the definition field [32] [21]. 

Definition 1. A pseudo- CM algebraic curve is defined as one whose Jacobian 
variety passed one of the following CM tests. 

Consider a curve C/F, F an algebraic number field, we denote the residue 
field of a prime p of F as F q , Z(X) the characteristic polynomial of the Frobenius 
endomorphism on F ,,-rat ion al divisors of the Jacobian variety J /F c; of C/F q . 
To simplify treatment involved with the reflex CM field and reflex CM type, 
we will hereafter assume that all the CM fields are abelian and the Z(X)’s are 
irreducible. 

Below, we will use the algorithms in e.g. [8] [28] to calculate CM field and 
CM type of a Jacobian variety with CM. 

Algorithm 1 

Procedure 1 (Ordinary reduction test) 

Input A random curve C/F of genus g, N € AT; 

Output If C/F is a pseudo-CM curve, and when it is, the CM field K: 

Step 1 Find the CM field and the discriminant d\ of Z\ (X) of C/F qi with 
ordinary reduction for a small prime pi; 

Step 2 Choose small primes Pi, i = 2, • • • , N such that Z i(A') mod p, splits. For 
J /F qi find the discriminant di of Z t {X) , if the square-free part of d\ equals 
not that of di for some i. output that C/F has no CM; 

Step 3 Output C as a pseudo-CM curve whose CM field K has a minimal 
polynomial Z i(A'); 
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Procedure 2 (Supersingular/bad reduction tests) 

Input A random curve C/F of genus g, N € N; 

Output If C/F is a pseudo-CM curve, its CM field K: 

Step 1 Find the CM field and the characteristic polynomial Zt(X) of J /F qi 
with ordinary reduction for a small prime pi; 

Step 2 Choose small primes pi,i = 2, • • • ,N such that Z\ (X) mod p, is irre- 
ducible or Pi\d\, if neither J /F qi is supersingular nor C/F qi is singular for 
any i, output that C/F has no CM; 

Step 3 Output C as a pseudo-CM curve whose CM field has a minimal poly- 
nomial Zi(X); 

4 Lifting Models of Curves with CM 

It is known that every CM Abelian variety A has a projective model over Q. The 
definition field F of equations is contained in the definition field of the model 
(A, t,C), where t : K ^->Endf.A an embedding and C a polarization, which is how- 
ever not easy to find. One may then use the latter for F instead and also denote 
it as F. Furthermore, one may choose that the definition fields of the models are 
coincide with the so-called fields of moduli under certain conditions [40], which 
can be built from the class field of K. In particular, when A is simple which is 
the case we are dealing with, and A is principal e.g. End(A) equals the maximal 
order of Ok, the definition field of the model can derived under minor conditions 
from the Hilbert class field, which we denote as K a b- [32] [40]. 

In this section, we show how to lift from small finite fields the models of 
curves with CM defined e.g. over the class field of K. 

Algorithm 2 

Input : A model of equations of a curve family {C/Q} with genus g: 

Output : Curves in the family with CM over K a b and their CM fields K ; 

Step 1 For small prime pi, choose models of all non- isomorphic curves C\/F qi 
among the family over F qi , e.g. in the case of hyperelliptic curves, one may 

y 2 = x 2g+1 + aix 2g +, • • • , +a, 2 g mod pi 
such that Ji/F qi are ordinary, their CM fields K are abelian and Z(X) 
irreducible. Calculate K, its discriminant (Ik and the class number h of Ok', 
Step 2 For each of the pairs (Ci/F qi ,K), choose small prime p t such that 
Pi\d,K, then find the curves Ci/F qi such that either Ci/F qi is singular or 
Ji / F qi is supersingular. The conjugates of the coefficients in each definition 
equation are collected to compose the reduction of the minimal polynomial 
of the same coefficients in the curve C/K a b with CM field K, modulo the 
prime ideal over p, : 

Step 3 For each of the pairs (C\/F qi , K), choose small prime p, . i = 2, . . . M 
such that pi is inert in K, then find the curves Ci/F qi such that either Ci/F qi 
is singular or Ji/F qi is supersingular. The conjugate of coefficients in the 
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equation are collected to compose the reduction of the minimal polynomial 
of the same coefficients in the curve C/K a b with CM field K: 

Step 4 For each of the pair ( Ci/F qi ,K ), choose small prime p, , i = 2 ,...M 
such that pi splits completely in K, then find the curves Ci/F qi such that 
End°p Ji = K. Again, the conjugate coefficients are collected to compose 
the minimal polynomial of the same coefficient in the curve C/Q with CM 
field K; 

Step 5 Choose one candidate curve C t for each i and apply the CRT to each 
coefficients to recover the equation C/K a b; 

Step 6 If the C/K a b passed the CM tests, then output it as a pseudo-CM 
curves, if not goto step 2-4 to try the other combinations or add one more 
prime; 

Remark 1. The family of curves is not limited to hyperelliptic curves or genus 
two curves. A reasonable choice for such a family is the de Jong-Noot family 
[10], which is known to contain infinite number of CM curves. 

Remark 2. For fast implementation, one-parameter family would be desirable. 
More efficient approach is to use to select candidate curves by determination 
of the isomorphic type of the endomorphism ring of J/F q , using the algorithm 
such as generalization of the Kohel’s algorithm for ordinary reduction in [22]. 

Remark 3. It is also possible to use certain convenient properties in the super- 
singular reduction to raise the lift efficiency. Especially, choose pi carefully the 
reduction of the Jacobian will be isomorphic to product of supersingular elliptic 
curves (supersingular Abelian varieties) then calculation over elliptic curves can 
be made use of [19]. 

5 Lifting of Invariants of Hyperelliptic Curves with CM 
Jacobians 

It can be observed in the lifting of the models of curves that it is desirable if 
one can lift the invariants instead of the models in order to reduce the number 
of candidates. This is possible if an explicit definition of moduli invariants is 
known, such as in the genus two case. 

Algorithm 3 

Input A model of curve family C/Q of which their invariants X = (Ij , . . . . I m ) 
in their moduli space is explicitly defined; 

Output : Invariants X of curves in the family with CM over K a b and their CM 
fields K- 

Step 1 For small prime pi, choose among the family of all non- isomorphic 
curves C\/F qi such that Ji s /F qi are ordinary reductions, their CM fields 
K are abelian and Z(X ') irreducible. Calculate K and the discriminants cIk, 
the class number h of Ok and their invariants X\ / F qi ; 
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Step 2 For each of the pairs (Ci / F qi ,K), choose small prime p, such that p, | (//<-, 
then find the curves among the family Ci/F qi such that either Ci/F qi is sin- 
gular or Ji/F qi is supersingular. Calculate all conjugates of their invariants 
I;, / F qt . These invariants are collected to compose the reduction of the min- 
imal polynomial of the same invariant X of the curve C/K a b with CM field 
K, modulo the prime ideal over p, : 

Step 3 For each of the pairs ( C\/F qi , K), choose small prime p, . i = 2, . . . M 
such that Pi is inert in K, then find the curves among the family C, / F, It 
such that either Ci/F qi is singular or Ji/F qi is supersingular. Calculate 
all conjugates of their invariant X i/F qi . Then compose the reduction of the 
minimal polynomial the same invariants X of the curve C /K a b with CM field 
K: 

Step 4 For each of the pair (C±/F qi ,K), choose small prime p, , i = 2 ,...M 
such that Pi splits completely in K, then find the curves among the 1- 
parameter family Ci/F qi such that End°p Ji = K. Calculate all conju- 
gates of their invariants X, / F qi . Then compose the reduction of the minimal 
polynomial of the same invariants X of the curve C/K a b with CM field K: 
Step 5 Choose one candidate minimal polynomial of X \ for each i and use the 
CRT to lift each coefficient of the minimal polynomial to K a i 
Step 7 Test if the model C/K a b with the invariant X passed the CM tests, 
then output it as a pseudo-CM curve, if not goto Steps 2-4 to try the other 
combinations or add one more prime; 

Remark 4- Again efficient identification of the isomorphism type of the endo- 
morphism ring of J/F q could substantially accelerate the calculation. The only 
algorithm available presently is in [22] which generalizes Kohel’s algorithm for 
determination of the isomorphic type of endomorphism ring of ordinary elliptic 
curves over finite fields, which uses the Cantor’s analogue of division polynomials 
for elliptic curves. 

Remark 5. One can lift either the integral (relative ) or the absolute invariants. 
The absolute invariants is known as algebraic numbers but may not be algebraic 
integers. To lift such numbers, one may use the algorithm in [37] which needs the 
CRT of double size of the maximum between the numerator or the denominator. 

Remark 6. It is known that usually to find the equation of a curve from its 
invariants is very difficult. In projective embedding using theta functions, this 
problem is solved by using Mestre’s trick, which however does not apply here. 
We show an algorithm to overcome this problem using one-parameter family. 
It is shown as Algorithm 4 in Appendix. To find equations of curves one may 
apply its Steps 1-2 before the Step 1 of the algorithm 3 and its Step2 3-4 will be 
used after the Step 5 in the algorithm 3. The example to be shown bellow used 
a new approach to find curve equation from its invariant based on polynomial 
resultant, which will be reported in the near future. 

Remark 7. Further approaches to reduce the number of candidates so as to ac- 
celerate the whole calculation are discussed in [22] [16]. 
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6 Complexity Analysis 

We give analysis of both the analytical embedding of CM Jacobian varieties 
using the theta functions and the proposed algorithm for invariant lifting. 

Below, we follow the notations and the algorithms in e.g. [36] and assume 
g = 2. 

Theorem 1. The analytical embedding using the theta functions costs exponen- 
tial time of the discriminant of the CM field K: 0(|d*-| 9 ' /8 2 3 / 2 V / i^T). 

Proof. For simplicity we assume the CM type (K, {<h}) is self-dual, the endo- 
morphism ring is the maximal order of Ok- The discriminant of K is denoted as 
dK- Assume the principal polarization of the embedding is given by the Riemann 
form 


E(z,w) = Z£K,k = k+(0, <M£ 2 ) < 0. 

The theta functions can be estimated by Minkowsky’s lemma, using minimal the 
sum of abstract values to approximate the minimal type trace. In particular, for 
J, e € R 2 , 1? = diag [</>,(£)] 

\0 H (fl)| = | ]T e ^ m+s ^m+s) x 

[eJ meZ 2 

= 0( £ e -7r Im ^(«)™ 2 ) 
meZ 

= o( e -( 967r3 ) 1/4 i d * |1/s ). 

Then in the Rosenhain normal form 

y 1 = x(x - 1) (x - Ai)(s - A 2 )(x - A 3 ) 

the roots A* can be estimated from the theta constants or the values of theta 
functions on particular choices of <5, e: A, = 0(e 4 ( 96,r ) ). Thus, the in- 

tegral Igusa Invariants which are defined by the Rosenhain normal form can be 
estimated as /, = O(e 120(967r > ). Since the absolute invariants are homo- 

geneous ratios of the integral invariants, the calculations in the embedding by 
the theta functions will be dominated by those for the integral invariants, we 
will use the estimate of integral invariants in analysis of the whole algorithm. 

Next, assume that the Igusa invariant is defined over a ray class field, for 
simplicity a Hilbert class field. To calculate an algebraic integer with a minimal 
polynomial of degree h will generally cause precision of 

Prec (d K ) = O(120(96 7 r 3 ) 1 / 4 h^y |d*| 1/8 ) 
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due to the error accumulation mainly in the middle term of the minimal poly- 
nomial (see also [5]). Usin g the Sterling formula and take a upper bound of the 
class number h as \f\dx |, 

Prec(dK) = 0(2V^T | d/f |i). 

Take the number of the terms in the theta series expansion as 


the complexity of the whole embedding is of OQdx | 9 / 8 2 3 / 2 'V / l d * f l ). □ 

Theorem 2. The invariant lifting algorithm find the model of a CM curve in 
cost of polynomial time of the discriminant of the CM field K: 0(|d/<-| 135 / 8 ). 

Proof. Consider the lifting of the Igusa invariants over the Hilbert class field 
of the CM field K. The largest coefficient, which is of the middle degree term, 
but its order can also be estimated as the highest degree coefficient. Since /, = 
0(e 12 °( 96 7r3 ) 1/4 l d ^l 1/8 ), the order of the largest coefficient is about O(lf ). By the 
Chinese remainder theorem and the theorem of prime number, one knows that 
in order to lift such integers, it is enough to repeat calculations of its shadows 
or reductions on L = 0(|djf| 5//8 ) finite fields F q . The sizes of these finite fields 
are also of the same order q = 0(L). (Here lifting of a rational numbers requires 
CRT in twice size of denominators and numerators, but the order remains the 
same [37].) 

Determination of isomorphic types of the endomorphism ring over F q using 
the generalized Kohel algorithm in [22] required 0(q 20 ) computations. If this 
algorithm is applied to all q 6 curves over each finite fields, the calculations will 
be L 26 = 0(|dfi-| 65 / 4 )- The overall cost is then L 27 = 0(|dx| 135 ^ 8 )- 

Lifting of the minimal polynomials of the absolute Igusa invariants for h 
coefficients from the L residues over finite fields of size L requires hL 3 compu- 
tations . The whole calculation is L = 0(|d/<- | 19/,8 j. Thus, the whole complexity 
is dominated by L 27 = 0(|dfi-| 135 / 8 )- □ 


7 Example 

We show an example of constru ction of a sec ure hyperelliptic curve using the CM 
field K = Q (a), where a = \/— 61-j-6V6L One can shown that Gal ( K/Q ) = 
Z/AZ, its class number h = 1 and the minimal polynomial of a is Z(X') = 
X 4 + 4X 2 + 2. 

Firstly, we construct by ordinary lifting the absolute Igusa invariants of a 
curve of which the endomorphism ring is isomorphic to the maximal order Ok of 
K. We chose some small primes l such that Z splits completely modulo l and we 
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can compute the absolute Igusa invariants of curves of which the endomorphism 
ring over Fi is isomorphic to Ok . Then they were lifted to Q by the CRT and 
Wang’s algorithm in [37]. The following table shows the process in which the 
set of the primes l , used in residue collecting and lifting steps of the invariants 
by CRT, is enlarged one by one. The places marked by ” denotes when no 
rational number is output by Wang’s algorithm, which means one has to use 
more primes and the residues because Wang’s algorithm requires the product of 
all the primes used in CRT greater than the square of the maximum between 
the numerator and the denominator. 



Secondly, we construct a secure Jacobian defined over a finite field by the 
fast algorithm of [8] . Specifically, using prime ideal factorization of the Frobenius 
endomorphism, we found a principal prime ideal of K 
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such that N k/ q{lo ) = p, where p = 5231262434024213788387387. Then we 
obtained a secure Jacobian with order 

#J(F p ) = 2 4 x*w 

where p ma x is a 160 bits prime number 

Pmax = 1710381665854894312958517262601197350921820022483. 

Finally, we construct a secure curve over F p , of which Jacobian has above 
order, from invariants calculated above: 

. _ -116152266457850949605013807041682945649672192 
%% ~ 6402508627232391130785654498779296875 

. _ -40404764693716413637740986368 

12 ~ 22101649211923402921875 

. _ -63585703806382049374801395712 

13 ~ 66304947635770208765625 

The equation of curves is restricted here in form of 

Y 2 = X 5 + X 3 + a 2 X 2 + ai X + a 0 . 

Notice that this restriction does not exclude any possible isomorphism classes of 
the curves. 

By an algorithm mentioned before using polynomial resultant computation, 
we obtained coefficients of a curve with given invariants as 

0 0 = 417929590974323696943368 

01 = 2257561965032447596454492 

0 2 = 2418466578595705463946119 

over F p . The twisted curve of the above curve has equation as 

C/F p :Y 2 = X 5 + c 2 X 3 + c 3 a 2 X 2 + c 4 oiX + c 5 o 0 , 
where c = 2. It has the same secure order constructed above. 
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Appendix: Subfamilies Whose Models Can Be Determined 
from Their Invariants 

Since it is generally difficult to find an explicit model of a curve with given in- 
variants, we will use the following algorithm to find the models of curves from a 

point in their moduli space. 

Algorithm 4 

Input : A model of a family C/K with r parameter ai, • • • , ay, {f(x, y, ai, • • • , 
a r ) = 0}, and a point I = (Ij. ... . I m ) in their moduli space; 

Output : Definition field F and a model of C/F : h(x, y. a) = 0 corresponding 
to 1, where a € F; 

Step 1 Choose r — 1 constraints c*(ai, • • • , ay) = 0,?' = l,...,r — 1 in the 
parameter space to obtain a subfamily h(x, y, a) with 1-parameter a; 

Step 2 Reduce the definition equations of the invariants /-, := g t (ai , ■ • • , a r ) to 
Jj(a) = 0,i = 1, . . . ,m; 
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Step 3 Calculate gcd(Ji, . . . , J m ) =: J(x) e K[I i, . . . , J m ][a:]; 

Step 4 If J(x) ± const, output h(x,y,a) as the model over definition field 
F := K(a ) with a minimal polynomial as J(x ); 

We can then apply this algorithm to obtain models of hyperelliptic curves of 
genus two from their Igusa invariants. 
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Abstract. In this paper we introduce a structure iterated by the rule 
A of Skipjack and show that this structure is provably resistant against 
differential or linear attacks. It is the main result of this paper that the 
upper bound of r-round (r > 15) differentiator linear hull) probabilities 
are bounded by p A if the maximum differential (or linear hull) probability 
of a round function is p, and an impossible differential of this structure 
does not exist if r > 16. Application of this structure which can be seen 
as a generalized Feistel structure in a way to block cipher designs brings 
out the provable security against differential and linear attacks with some 
upper bounds of probabilities. We also propose an interesting conjecture. 


1 Introduction 

The most powerful known attacks on block ciphers are Differential Cryptanal- 
ysis(DC) [2,3] and Linear Cryptanalysis(LC) [10,11]. Since such cryptanalyses 
have been proposed, designers of block ciphers have tried to give the provable 
security against DC and LC. Kanda et al [7] classified four measures to evaluate 
the security of a cipher against DC and LC as follows; 

1 . Precise measure : The maximum average of differential and linear hull prob- 
abilities. 

2. Theoretical measure : The upper bounds of the maximum average of differ- 
ential and linear hull probabilities. 

3. Heuristic measure : The maximum average of differential characteristic and 
linear approximation probabilities. 

4. Practical measure : The upper bounds of the maximum average of differential 
characteristic and linear approximation probabilities. 

Among the above four measures, the first two are the measures of the theo- 
retical point of view and the last two are the measures of the practical point of 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 274-288, 2000. 
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view. If the number of rounds increases, it is computationally infeasible to com- 
pute exactly with the point of the precise and heuristic measures. Therefore the 
theoretical and practical measures are important measures to show the security 
of a cipher against DC and LC. However the practical measure does not give a 
sufficient condition for the security of a cipher against DC and LC. It is only a 
necessary condition, so the theoretical measure is the only left one to give the 
provable security against DC and LC. 

K.Nyberg and R.Knudsen showed that the r-round differentiator linear hull) 
probabilities in the Feistel structure are bounded by 2 p 2 if the maximal differen- 
tiator linear hull) probability of round function is p and r > 4 [16]. Furthermore, 
the probability can be reduced to p 2 if the round function is bijective and r > 3 
[1]. So the construction of a round function with a small maximal probability of 
differentials (linear hull) is a very important factor to give the provable structure 
against DC(LC). M.Matsui gave an example of such a construction using the 
iterative nested Feistel structures [12,13]. 

In this paper we will prove the security of an iterated cipher which follows the 
rule A of Skipjack structure against DC and LC. The r-round(r > 15) differen- 
tial probabilities are bounded by p 4 if the maximal differential probability of the 
round function is p. Since the proof of linear hull probabilities in LC is almost 
same as that of differential probabilities [12,16,17], we will just prove the upper 
bound of differential probabilities of the structure. Furthermore we will show 
that there does not exists an impossible differential if r > 16 in the generalized 
Feistel structure and Skipjack-like structure. Also we give some conjectures in 
the generalized Feistel and Skipjack-like structures. 

2 Preliminaries 

Differential cryptanalysis uses the non-uniformity of the output differences given 
input differences and linear cryptanalysis relies on the correlations of input/ouput 
bits and key bits. Block ciphers are usually constructed iteratively with the same 
round function. So in order to avoid DC and LC it needs to use the round func- 
tions which have the good properties against such attacks with sufficient rounds. 

In this section we consider a round function F: GF( 2) n — > GF{2) n . We as- 
sume that round keys are independent and uniformly random. Furthermore, 
input data are also independent and uniformly random. 

Definition 1. [12] For any given AX,AY,rX,TY e GF(2') n , the differential 
and linear hull probabilities of a round function F are defined as; 

DP" (AX - AY) = £ GF(2) " I F(X ®AX) = AY} 

LP r (rx no = ( #{^ G F(2rirx.x = rr. f (r)) _ ^ 

where rx • Fy denotes the parity of bitwise exclusive-or of Tx and ry. 
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In the above definitions the probabilities mean the average probabilities for 
all the possible keys. To give the provable security against DC and LC with the 
theoretical measure we need the following definitions. 

Definition 2. The maximal differential and linear hull probability of F are de- 
fined by 

DPE. = max DP F (Ax -> Ay) 

maX AxjtO,Ay V 

and 

LP F = max LP F (rx -> A/) 
max r x ,r yi to v 

respectively. 

On the point of view of the provable security DP^ ax ,LP^ ax are the very 
important factors. With above two definitions, we can easily get the following 
two theorems. 

Theorem 1. [12] (i) For any function F, 

Y dp f (ax ay) = i. Y LP F (rx -4 rY) = |. 

AY rx 

(ii) For any bijective function F, 

Y DP f (AX -4 AY) = 1 , Y LP F (rX rY) = 1 . 

AX rY 

If Fi and F^ which are functions from GF( 2) n to GF( 2) n are used as consec- 
utive round functions and relatively independent, we can calculate differential 
and linear hull probabilities with the following theorem. 

Theorem 2. [12] For any AX, AZ, rX, TZ e GF(2) n , 

DP Fl ’ F2 (AX -4 AZ) = Y DpFl ( AX -> AY ) • DP F2 (AY -f AZ) 

AY 

and 

LP F " F2 {rx -4 rz) = Y LP Fl (rx -4 rY) ■ LP F2 (rY -4 rz). 

rY 

Since the method of calculating linear hull probabilities can be calculated 
with the reverse order of the method of calculating differential probabilities 
[12,16,17], we will only consider the differential probabilities in this paper. 

3 Provable Security for Block Cipher Structures against 
DC and LC 

Structures of block ciphers can be roughly classified by the Feistel structure 
and the SPN structure. Since there has been much progress in the structures of 
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bijective functions with good properties, the interest in the SPN structure has 
been increased. There are Square [5], Riindael [6], and Crypton [8] which are 
constructed by considering the branch number [18] in the SPN structure from 
the practical point of view. However the Feistel structure has been used more 
widely since it has no limit of round function. In this section we consider the 
security of the Feistel structure and its modifying structure against DC and LC. 
We assume that the round keys of round function F are mutually independent 
and uniformly distributed and the maximal differential probability of the round 
function F, DP^ ax , is p. 

K.Nyberg and R.Knudsen showed that the r-round differentiator linear hull) 
probabilities in the Feistel structure are bounded by 2 p 2 if the maximal differ- 
entiator linear hull) probability of round function is p and r > 4 in Feistel 
structure. Furthermore, the probability can be reduced to p 2 if the round func- 
tion is bijective and r > 3. So the smaller probability p is, the better security 
level against DC and LC we can give. For example, consider the Feistel structure 
block cipher which has bijective round function F : GF( 2) 32 — > GF( 2) 32 with 
more than or equal to 3 round. If the maximal differential probability is close to 
2 -32 , then the upper bound of differential of the cipher is close to 2 -64 . So we 
can give the almost perfect security against DC. M.Matsui gave the example of 
such a construction using the iterated nested Feistel structures [12,13]. 



Fig. 1 . Skipjack-like structure 


Since AES(Advanced Encryption Standard) have been proposed, the 128-bit 
block ciphers are usually adopted. If we construct 128-bit block ciphers with the 
Feistel structure, we need to design 64-bit round function. However, to construct 
64-bit round function are usually more difficult than to design 32-bit round 
function and it is also a hard problem to give the provable security against 
DC and LC. So the generalized Feistel structure which divides input blocks 
by 4 was proposed and used in MARS, RC6, TWOFISH, and etc. We also 
have Skipjack [19] which is the 64-bit block cipher with the generalized Feistel 
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structure dividing input blocks by 4 and it has 32 rounds where half of them 
are ruled by A type and the others by B type. Fig. 1 describe the structure of 
iterated ciphers using the rule A of Skipjack. Since the output block of a round 
function F has effects on the next block and its own block, Skipjack-like structure 
is different to the generalized Feistel structure and data randomization is faster 
than the generalized Feistel structure. However the Skipjack-like structure needs 
a bijective round function. In the next section we will prove the upper bound of 
differential probabilities of the Skipjack-like structure as in the Feistel structure 


4 The Main Result - Provable Security against DC and 
LC in the Skipjack-like Structure 

In this section we prove the upper bound of differential probabilities in the 
iterated Skipjack-like structure from the theoretical point of view. We assume 
that a round function F is bijective and the maximal differential of F is p. 

Now we consider the 15-round Skipjack-like iterated block cipher. In Fig. 2 
the aj’s mean the input block differences, /Vs mean the output block differences 
and 80s are variables which mean i-th round output differences. Set an input 
difference to a = (01,0:2,0:3,0:4) and an output difference 0 = { 0 i, 02, 03, 04)- 
By the assumption that a round function is bijective we just consider a / 0 
and 0 ^ 0. Therefore for the given nonzero input difference a the probability 
that an output difference is 0 is calculated as following. We denote the 15-round 
differential probability as DP{a — > 0) and DP F {AX — * AY) as DP{AX > 
AY). 

DP(a — > 0 ) = J 2 DP{a 1 ^5 1 )-DP{a2®6 1 ^6 2 )-DP(a3(B62^63) 

■DP(at4 © S3 ■—> ► ^4) • DP(8i © 84 —• > $5) • DP(8 2 © £5 — ► $6) 

■DP(8 3 © <J 6 ^ S 7 ) ■ DP (84 © S 7 -> <5 8 ) • DP(8 5 © S 8 -> S 9 ) (1) 

■DP(8e © <5g — > <ho) ' DP (87 © <ho - * <hi) • DP(Ss © <5n — *• /?s © 00 ) 
■DP(8g © 03 © 04 -*■ 0 i) • DP(8 10 ©/?!-► 0 2 ) • DP(8u © 02 -»• 0 3 ) 
Using the equation(l) we prove the following main theorem. 

Theorem 3. If a round function of the Skipjack-like structure is bijective and 
r > 15, then r-round differential probabilities are bounded by p A where p is the 
maximal average differential probability of a round function. 

Proof. We prove the case r=15. If r is greater than 15, we can easily prove by 
the case r=15 and the Theorem 1,2. We will prove the theorem case by case and 
the cases are classified by 8, i.e. , the s (1 < i < 3) are zero or not. 

Case I f 0i = 0 , 02 = 0 , 03 = 0 ) 

Since we do not consider the case 0 7 ^ 0, 04, is nonzero. By the case assump- 
tion, we have 87 = <5io = <5n = 0 and S :i = 8f 5 = <5g = 04 f 0. There- 
fore $ 3 , 8 q : 67, $ 9 , $ 10 , ^11 is fixed and variable t = {<5i ,62,84, 85. will be only 
summed over in equation ( 1 ). So we have the following; 
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DP{a - fa) = DP («i - *i) • DP ( a i ® Si -> 6 2 ) ■ DP(a 3 ® S 2 ^ S 3 ) 

■DP( ai © fo -> <5 4 ) • DP(5i 0 <5 4 -» <y 5 ) • DP (6 2 0 S s -> fa) 
■DP{5 a - ft) • DP(<5 5 0 <5 8 - ft) • DP( 8 8 -> fa) 

Among the above equation DP(a 3 0 S 2 —> £ 3 ), DP(S 2 0 (5s — > fa), DP{8 3 0 —> 

fa) and DP(8 8 -* fa) are bounded by p since the output differences are nonzero 
and F is bijective. So we have 

DP{a — > fa) < p 4 ■ ^2 DP {a 1 — * < 5 i) • DP(a 2 0 £1 — > S 2 ) • DP(a A 0 fa — * 84 ) 

■DP( 8 i 0 84 --> &;) - DP( 8 4 -> fa) < p 4 . 

From now on we will use the table such as Table 1. In the Table 1 relations mean 
the relations of variable af s,ft’s and 80s. Therefore the variables of the relations 
in the table relations are fixed and variables (= t) are only summed over in the 
equation (1). Using the notations of Table 1 we can represent the proof of Case 
1 by the following table. 


Table 2. Proof of Case 1 : fa = 0, fa = 0, fa = 0 


Relations 

87 = <5io = <5n =0, <53 = $6 = 89 = fa 7^ 0 II 

Variable t 

<5i, 82, 84, 85, 8 3 | 

step 1 

sum over 81 

sum over S2 

<p 

step 2 

sum over 84 

sum over «5 5 

<p 

step 3 

1 

sum over Js 

<p 

step 4 

1 

1 

<p 

step 5 

1 

1 

1 i 


Case 2 ( fa = 0,fa = 0,fa ± 0 ) 

We divide Case 2 by 2 cases whether fa 0 fa is zero or not. In the Case 2-1 
DP(a — > 0) is bounded by p 5 and in the Case 2-2 DP(a ~f 0) is bounded by 

p 4 . 

Proofs of other cases can be proved in the similar way. More details are in 
the Appendix. All the cases DP(a — > fa) is bounded by p 4 . 

Since the Skipjack-like structure can be regarded as one of the generalizations 
of the Feistel structure in a way, provable security against LC is also obtained 
as in [12,16,17]. 

Theorem 4. If a round function of the Skipjack-like structure is bijective and 
r > 15, then r-round linear hull probabilities are bounded by q 4 where q is the 
maximal average linear hull probability of a round junction. 
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Table 3. Proof of Case 2-1 •. (3\ = 0, /?2 = 0, fa ^ 0, fa ® fa = 0 


Relations 

5 q — Sq — 5io = 0, S2 — S5 — Sj — 5 n || 

Variable t 

<5i , A3 ^ 0, 5 4 , 5n ^ 0 jj 

step 1 

sum over Si 

< P 

sum over 83 

step 2 

sum over <5 4 

< P 

1 

step 3 

< P 

< P 

1 

step 4 

1 

< P 

1 

step 5 

1 

1 

sum over S n 


Table 4. Proof of Case 2-2 : fa = Q,fa = 0, /?3 ^ 0, /?3 ® /?4 ^ 0 


Relations 

5io = 0, $6 = 89 = 03 © /?4 | 

Variable t 

81 , 82, 83, 5 4 , ^5, 87 0, ^8, 5n ^ 0 1 

step 1 

sum over Si 

sum over <5 2 

sum over 63 

step 2 

sum over £4 

sum over <5 5 

<p 

step 3 

< p 

sum over 5 7 

sum over S s 

step 4 

1 

< P 

<P 

step 5 

1 

1 

sum over 5n 


Now, let’s consider one of the generalization of the Feistel structure as Fig. 3. 

Assume that the round function is bijective. In the case m = 2 (the Feistel 
structure), if r > 3 = 1 • 3, then r-round differential probabilities are bounded by 
p 2 . In the case m = 3, S.Sung [21] proved that r-round differential probabilities 
are bounded by p 3 if r > 8 = 2 • 4. Also in the case m = 4, r-round differential 
probabilities are bounded by p 4 if r > 15 = 3 • 5. So we can conjecture the 
following. 

Conjecture 1. In the generalized Feistel structure and Skip jack- like structure, 
r-round differential probabilities are bounded by p m if r > (m — l)(m + 1). 


5 Impossible Truncated Differential of the Generalized 
Feistel Structure and Skipjack-like Structure 

In this section we consider an impossible truncated differential of (i) the gener- 
alized Skipjack-like structure whose one-round transformation is Fk(x i,# 2 , • • • , 
x m ) = (fk(x i) ® xz,X 3 , ,■ ■ ■ ,x m , fk(xi)), and (ii) the generalized(CAST256- 
like) Feistel structure whose one-round transformation is Fk(x i,# 2 , • • • , x rn ) = 
(fk(x i)®X 2 ,Xs, ■ ■ ■ , x m , x\), where fk : {0, l} n — > {0, l} ra is a keyed-round func- 
tion. 

Now we can consider the relation of an impossible truncated differential and 
a number of round in We assume that round functions are bijective, 

random, and pairwise independent. Let AX = (AXi, ■ ■ ■ , AX m ) and AY = 
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1 2 ••• to — 1 



(AY!, • • • , AY m ) be an input and output difference respectively. Then we have 
the following results. 

Proposition 1. If r = m 2 — 1, there exist an impossible truncated differential 
whose form is (0, 0, • • • , 0, Aa) ( A/3, 0, • • • , 0) in ( i ) and ( ii ), where Aa and 
A(3 are nonzero. 

Note : In the case of to = 3 , we can find the 8-round impossible truncated 
differential whose form is (0,0, Aa) -A (A/3, 0,0) in (ii), where Aa and A/3 
are nonzero (similarly it holds in (*)). Consider the following figure. Since we 
assumed that round functions are bijective and Aa is nonzero, At is nonzero. 
But the four round output differential is zero. This is the contradiction. 

With Proposition 1 and the notion of pseudorandomness in Luby and Rackoff 
[9], we can conjecture that impossible differentials and the pseudorandomness 
are closely related. However, the number of queries in the impossible differential 
attack model are more than that in the distinguishing attack model [14]. Also 
we can conjecture the followings. 

Conjecture 2. If r > to 2 , there does not exist an impossible truncated differential 
in (i) and (ii). 

Conjecture 2 can be proved by a computer programming if m is small enough, 
say less than 32. A similar method can be seen in [20]. However, since we could 
not find a general rule of proof, we just do conjecture it in the case that m is 
large. So we need further works. 

We can find the impossible differential whose form is (0,0,0, Aa) -a (A/3, 0, 
0,0) in the Skipjack-like structure(m = 4) if r = 15. Skipjack is the 64-bit block 
cipher with 80-bit key and 32-round(A 8 S 8 A 8 S 8 ) using rules A and B iteratively. 
There has been the impossible differential attack [4] which use the weakness of 
this cipher to apply the rule B only after 8-round of rule A. These attacks only 
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0 Aa. 



Fig. 4. 8-round impossible truncated differential in the case of m = 3 


use the structural weakness. However, if Skipjack algorithm use A 16 B 16 or A 32 
then the impossible differential attack can not be applied any more by Conjecture 
2 in case m = 4. 

6 Conclusion 

In this paper we give the provable security for the Skipjack-like cipher against 
DC from the theoretical point of view. If the maximal differential of a round 
function of a Skipjack-like cipher is p and r > 15, then r-round differential 
probabilities are bounded by p 4 . Also we suggest the conjecture that r-round 
differential probabilities are bounded by p m if r > (to — 1)(to + 1) and there does 
not exists an impossible differential if r > m 2 in the generalized Feistel structure 
and Skipjack-like structure. 

It seems a hard problem to give the provable security against DC and LC 
in the block cipher. Until now, there have been no 128-bit block cipher with 
the provable security against DC and LC from the theoretical point of view. So 
we believe our result to be very helpful to design provably secure block ciphers 
against DC and LC. 
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Abstract. Block ciphers are usually based on one top-level scheme into 
which we plug “round functions”. To analyze security, it is important 
to study the intrinsic security provided by the top-level scheme from 
the viewpoint of randomness: given a block cipher in which we replaced 
the lower-level schemes by idealized oracles, we measure the security (in 
terms of best advantage for a distinguisher) depending on the number 
of rounds and the number of chosen plaintexts. We then extrapolate a 
sufficient number of secure rounds given the regular bounds provided by 
decorrelation theory. 

This approach allows the comparison of several generalizations of the 
Feistel schemes and others. In particular, we compare the randomness 
provided by the schemes used by the AES candidates. 

In addition we provide a general paradigm for analyzing the security pro- 
vided by the interaction between the different levels of the block cipher 
structure. 


1 Introduction 

From the attacker’s viewpoint, the block cipher used by a given user can be 
considered as an instance of a random permutation over a message block space: 
since he only knows how the secret key has been chosen, he only has probabilis- 
tic information (in a Shannon sense) on the key and the permutation. In this 
setting, security can be formalized by pseudorandomness: if there is no way to 
distinguish the block cipher from an ideal random permutation, then we cannot 
attack it. Pseudorandomness more precisely means that no oracle circuit with 
polynomially many oracle gates can distinguish between the encryption function 
and a truly random permutation. 

A block cipher usually made from a top-level oracle circuit that we call 
“scheme” (for instance the circuit of the Feistel scheme [4]) into which we plug 
lower-level circuits that we call “primitives” like round functions, S-boxes, and so 

* Part of this work was done while the author was visiting NTT Laboratories. 
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on. An attack may succeed if it “bypasses” some of the primitives by using some 
intrinsic weaknesses of the scheme. For instance, differential cryptanalysis [1] can 
investigate the differentials in which some S-boxes play no role at all. This idea 
motivated this paper: we consider ideal models of the block ciphers by replac- 
ing the primitives by truly random functions and study the pseudorandomness 
provided by the scheme. 

In this paper we investigate the randomness of several of the schemes used in 
many block ciphers. The target schemes are the Feistel scheme, variants of the 
Feistel scheme (the CAST256-like Feistel scheme, the MARS-like Feistel scheme, 
and the RC6-like Feistel scheme), and the SQUARE-like scheme used in Square, 
Rijndael and Crypton. 

The pseudorandomness of some general schemes were discussed in previous 
papers e.g. [9,17]. In this paper we show how we can reach these kind of results 
and extensions in an easier and more systematic way by using the decorrelation 
theory introduced in [13,14,15]. 

In order to compare the schemes we study the threshold number of rounds 
needed to achieve randomness, a theoretically sufficient number of secure rounds 
against attacks that are limited to two chosen plaintexts or ciphertexts (which 
plays a crucial role in the security against differential and linear cryptanalysis), 
and the sufficient number of secure rounds, in practice, when we use a practical 
decorrelation module (as in DFC [5]) for primitives instead of an ideal primitive. 

2 Decorrelation Theory and Randomness of Iterated 
Ciphers 

2.1 Definitions and Basic Properties 

The goal of decorrelation theory is to provide some kind of formal proof of 
security on block ciphers. This section describes the essential definitions and 
lemmas in decorrelation theory to prove the randomness of iterated ciphers. 

Definition 1 (d- wise distribution matrix). Given a random function F 1 
from a set Mi to a set M 2 and an integer d, we define the “d-wise distribution 
matrix” of F as the following Mf x M^-matrix. 

l F }L,..., Xd U yi ,...,y d ) = Pr[F(*i) *=1/1 F ^d) = y d ], 

where Xi € Mi and yi S M 2 for i = 1, . . . , d 


Definition 2 (d- wise decorrelation bias). Given a random function F from 
a set Mi to a set M 2 , a canonical idealized version F* of F, an integer d, and a 

1 Throughout this paper, “a random function F” means a random variable F which 
takes values in a set of functions, following regular probability theory. The same 
holds for “a random permutation C ” . 
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distance D over the matrix space we define the “d-wise decorrelation 

bias of F” as being the distance 

De4 (F) = D([F] d ,[F*] d ). 

In cases where the canonical idealized version F* is not explicit, we will use 
the notation DecF in order to make implicit that F* is a uniformly distributed 
random function, and DecP in order to make implicit that F* is a uniformly 
distributed random permutation. 

For instance, when talking about a block cipher as a random permutation C, 
the canonical idealized version C* is a random permutation with uniform distri- 
bution. This canonical idealized version should be clear from the context. 

Given two random functions F and G from M. \ to M.% we call “a distinguisher 
between F and G" any oracle Turing machine A° that can send M i -element 
queries to the oracle O and receive M. 2 -element responses, and which finally 
outputs 0 or 1. In particular, the Turing machine can be probabilistic. In the 
following, the number of queries to the oracle will be limited to d. The distri- 
butions of F and G induce a distribution of A F and A G , thus we can compute 
the probability that these probabilistic Turing machines output 1. We call the 
function 


Adv^(F, G) = Pr [A F = 1] - Pr[A G = 1], 

the advantage A° achieves in distinguishing F from G. 

We consider the classes 0l| a (resp. Clf) of non adaptive (resp. adaptive) 
distinguishers limited to d queries. Similarly, when F and G are permutations, 
we also consider the extension Clf of distinguishers that are limited to d queries 
but who can query either the function F/G or its inverse F~ 1 /G~ 1 . For any 
class of distinguishers Cl we will denote 

BestAdv(F, G) = max Adv^F, G). 


Lemma 1 (Equivalence between best advantage and decorrelation dis- 
tance [13,15]). For any random functions F and G and any integer d, we have 

\\\[F] d -[G} d \\\ 00 = 2-BestA.dv(F,G) 

II [F] d - [G] d || a = 2 • BestAdv(F, G) 
cii 

||[Ff - [G] d || s = 2 • BestAdv(F, G) 

where ||.|| a and ||.|| s are special matrix norms defined in [15] and |||. 
regular infinity associated matrix norm (the maximum of row sums). 


is the 
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Lemma 2 (Multiplicativity). For any f and g, we denote by fog their com- 
position. For any independent random functions F\, .... F r , any integer d and 
any matrix norm we have 

DecF d (Fi o • • • o F r )< DecF d (F 1 ) ■ ■ ■ DecF d (F r ). 

For any independent random permutations C \ , . . . , C r we have 

DecP d (Ci o • • • o C r ) < DecP d (Ci) • • • DecP d (C r )- 

Some known functions have quite small decorrelation biases called decorrela- 
tion modules. An example of decorrelation module is the NUT-IV decorrelation 
module. 

Lemma 3 (NUT-IV decorrelation module with d — 2 [15]). For an 

injection r from (0, l} m to GF(</) and a surjection n from GF(g) to (0, l} m , it 
has been shown that the random function F, defined on (0, l} m by 

F(x)=n(r(K 0 )+r(K 1 )x) 

for (Ko, Ki) uniformly distributed in (0, l} 2m , provides quite good decorrelation. 
Namely, 

DecFf . ||o (-F) < 2(q 2 .2~ 2m — 1). 

For better implementation efficiency, we will only consider prime integers q in 
this paper. The reader can refer to Noilhan [11] for implementation issues. For 
instance, DFC uses q = 2 64 + 13 for which we obtain DecFj^|| o (F) < 2 -58 - 3 
(see [7]). 

2.2 Basic Tools 

The randomness of a cipher constructed using random primitives such as decor- 
relation modules can be proven using decorrelation theory. In order to deduce 
an upper bound on the decorrelation bias of the cipher from an upper bound on 
the decorrelation bias of these primitives, we use the following lemma. 

Lemma 4 (Reduction to the randomness of ideal constructions [15]). 

Let d be an integer, F \, . . . , F r , Ci, . . . , C 8 ber + s independent random function 
oracles which are idealized by F*, ... ,Ff,C*, ... ,C* respectively, where the Cj 
and Cj are permutations. We let ft F ^—Fr,c 1 ,...,c e ^ e an orac i e can access 
the previous oracles and from each query x define an output G(x). We assume 
that Q is such that the number of queries to F) is limited to some integer ai, and 
the number of queries to Cj or Cj 1 is limited to bj in total for any i = l, ... ,r 
and j = We let G* be the function defined by f2 F 1 >-> c « . We 

have 


D ec[j.||a(G) < E Dec Sj F 0 +E Dec !'ll( C 'i) + Dec H.|u( G *) 

2=1 j= 1 
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In addition, if the fi construction defines a permutation G, assuming that com- 
puting G -1 leads to the same ai, bj and Ck limits, we have 

D eC||.| U (G) < + E Dec ||t^ + Dec{j. |U (G*). 


Lemma 5 ([16]). Let d be an integer. Let F be a random function from a set 

M.\ to a set M. 2 - We let X be the subset of Aif of all (aq , xfi) with pairwise 

different entries. We let F* be a uniformly distributed random function from 
M.\ to M. 2 - We know that for all x £ X and y £ A4 d the value \F*] d y is the 
constant po = (#Ai 2 )~ d - We assume there exists a subset y C Ai d and two 
positive real values ei and e 2 such that 

~ {#y)Po > 1 - ei 

-VxeX Vyey [F]l y >p 0 (l-e 2 ). 

This yields DecFjj ^(F) < 2ei + 2e 2 . 

This lemma intuitively means that if [F] d y is close to [F*] d y for all x and almost 
all y , then the decorrelation bias of F is small. We have a twin lemma for the 
||.||s norm. Here, since we can query y as well, the approximation must hold for 
all x and y. 

Lemma 6 ([16]). Let d be an integer. Let C be a random permutation on a 

set M. We let X be the subset of M d of all (ab , Xd) with pairwise different 

entries. We let F* be a uniformly distributed random function on M. . We let C* 
be a uniformly distributed random permutation on M. . We have 

~ if [C\t, v > [C*]t, v { 1 - e) for all x and y in X 
then DecPfj || s (F) < 2e 

— if [C\t, y > \F*]t,y{ 1 — e ) for oM x an d U in X 
then DecPf| ,| s (F) < 2e + 2 d 2 (fi=M)~ 1 . 


2.3 Examples 

First this section studies how many rounds are required for Luby-Rackoff’s ran- 
domness assuming round functions to be random ones. This is related to the 
“lack of randomness” provided by the upper-level design. The required numbers 
of rounds for the Feistel scheme and some generalized Feistel schemes are shown 
in [17, Section 3.2]. 

Hereafter we use the following notations. I n denotes the set of all n-bit strings, 
(0, l} ra . H n denotes the set of all I n /„ functions and P n denotes the set of 
all such permutations. By a ; €u X we mean that x is drawn randomly and 
uniformly from a finite set X. 
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Lemma 7 (Luby-Rackoff 1986 [9]). Let (Ff, Ff , , F£ ) £jj ( H m) 4 be four 

independent random, functions. We have 

DecFjj . || o (W,F 2 *,F*)) < 2 d 2 • 2"? 

DecPfj. ||a (^(F 1 *,F 2 *,F 3 *))<2d 2 .2-^ 
DecP^ |U (^(Fr,F 2 *,F 3 *,F 4 *)) < 2d 2 • 2"? 

Here <F(Fi, . . . ,F r ) is i/ie notation introduced by Luby and Rackoff in order to 
denote a Feistel scheme where the i-th round function is Fi. 2 

This lemma is tight in the sense that 2 rounds are not enough for pseudoran- 
domness and 3 rounds are not enough for super-pseudorandomness. Indeed, we 
can make a simple distinguisher against a 2-round Feistel scheme with d = 2 
queries with an advantage equal to 1 — 2“ “ by querying random (a, b ) and (a, c ) 
plaintexts and checking that the right half difference is equal to b ® c. The same 
holds for super-pseudorandomness with 3 rounds (see Patarin [12]): we can query 
for the encryption of (a,b) and (a,b®5), obtain (x,y) and (x',y') respectively, 
query for the decryption of (x, y ® d) and (x ' , y' ® 6 ) , and check that the obtained 
left halves are equal. 

This lemma can be formally proven by using Lemma 5 and 6. From Lemma 
2 and 4 this is generalized for a permutation on {0, l} m consisting of r rounds 
of Feistel transformations: 


DecP n.iu(^( F i-' 

. . , F r )) < (2d 2 ■ 2 _3 2 + 3maxDecF|j | 

i.h») L5j 

I)eeP''.,(^( 

. .,F r )) < (2d 2 - 2 -% +4maxDecFfj | 

i.W)) LsJ 


for any independent functions F { , , F r e H m.. This leads to the following 

conclusions about the regular Feistel scheme with m = 128. 

— The threshold number of rounds for achieving the security result is 3 for 
pseudorandomness and 4 for super-pseudorandomness, when d -C 2 32 . 

— The theoretical sufficient number of secure rounds for achieving the decor- 
relation bias of 2~ m is m_ 1 °™ log2 d with a = 3 for pseudorandomness and 
a = 4 for super-pseudorandomness, when d 2 32 . This leads to 9 and 12 
rounds, respectively, for d= 2. 

— When using the NUT-IV decorrelation module with d = 2, m = 128 and 
q = 2 64 + 13 in each round (as for instance DFC), these numbers of rounds 
provide decorrelation biases less than 2~ m for the corresponding norms. 

Here we used an arbitrary threshold of 2~ m for the decorrelation bias used in 
order to compare different schemes. Since 2~ m yields a level of security given 
by exhaustive search on m bits, we believe it is a relevant objective criterion for 
comparing schemes. We also focused on d = 2 which leads to security against 
differential and linear cryptanalysis. 

2 In order to be consistent with further schemes, the first round here maps the left 
half through Fi and add to the right half. 
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Fig. 1 . CAST256-like Feistel Scheme 


3 Several Cases 

3.1 CAST256-like Feistel Scheme 

CAST-256 is an AES candidate based on a generalized Feistel scheme called 
“Type-1 transformation” by Zheng-Matsumoto-Imai [17] and denoted by 
Formally, we define iZfi £ H rn as = x and 

^l(/2, • • • , fr)(fl(xi) + X 2 ,X 3 ,X A , X k ,X i) 

for any primitive set /i, ...,/,• £ Hm. . Here k is the number of branches and r 
is the number of rounds. 

Lemma 8 (Zheng-Matsumoto-Imai 1989 [17]). For independent and uni- 
formly distributed random functions £u Hrn and an integer d, we 

have 

DecP • • • , F$ k _ i)) < 2 (k - 1 )d 2 • 2"? 

It can easily be shown that the number of rounds of 2k — 1 for pseudorandomness 
is actually minimal. For instance, if we take 2k — 2 rounds and d = 2, we 
can submit two chosen plaintexts for which only the input of the rightmost 
branch has changed. The input difference in this branch will always be equal 
to the output difference in the second branch, which leads to a distinguisher of 
advantage 1 — 2~ k . 

We however notice that a number of rounds of k 2 — k is not enough for 
super-pseudorandomness. With k(k — 1) rounds, we can decrypt {yi,y 2 , ■ ■ ■ ■ Vk) 
and {y[,y 2 , . . . , y k ), obtain (aq, . . . , x k ) and (a^, . . . , x' k ) respectively, and check 
that x\ ® a’j = j/i © y[ . This actually shows that the inverse of the iff scheme 
is not pseudorandom unless the number of rounds is very large. Actually, the 
CAST256 cipher is a construction like 

(^ 1 (/ r ,...,/ S+1 ))“ 1 o^ 1 (/ 1 ,...,/r). 

We can show that the above attack generalizes to this scheme for r < 4fc — 6, 
that r = 4fc — 4 is enough for pseudorandomness, and that r = 4fc — 2 is enough 
for super-pseudorandomness. 
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Proof (sketch). We use Lemma 5 for evaluating DecFjj i, . 

For DecP||.|| a we let y be the set of all y = (t/i, . . . , yd) where y% = (y},. yi) 
such that y{ ^ f| for j > 1 and i < i' . We get ei = (k — l) d ^~^ 2~Tr. We then 
consider the event in which the first entry after the (k — l)th round takes pairwise 
different values for x\ ,Xd- Upper bounding the probability when this event 
occurs we get e 2 = (fc — l) d ^^ 2~^. Thus DecFjj ^(F) < 2(k — l)d(d— l)2“ir. 

Here, is evaluated as the number of unexpected equalities between two 
outputs from a single circuit of depth k — 1 with k inputs and internal F* and 
additions times the probability it occurs, which is at most the depth k — 1 times 

2~f. 

Now to get DecP from DecF, from DecFjj ^ (C*) < d(d — l)2~ m and the 
triangular inequality we have 

DecP n-iu( F ) ^ DecF n.iu( F ) + DecP iiih( F *) i DecF n.iu( F ) + d 2 2~ m . 

We then notice that the obtained upper bound for DecFjj ^ can be written 
DecFjj | | a (F) < Ad{d — 1)2“^ for some A > 2. For d < A2 m ~ % we thus obtain 
DecPjj ,\\ a (F) < Ad 2 2~%. For larger d, this bound is greater than A 3 2 m ( 2- ^) 
which is greater than 8 since m> k> 2. Since DecPjj ,\\ a (F) is always less than 
2, the bound is thus still valid. □ 

Thus the required number of rounds for the CAST256-like scheme is proven 
to be 2k — 1, where k is the number of branches. That is, the required numbers 
of rounds for the Feistel scheme and the CAST256-like scheme are 3 and 7, 
respectively. 

This leads to the following conclusions about the CAST256-like scheme with 
k = 4 branches and m = 128. 

— The threshold number of rounds is 7 for pseudorandomness when d <C 2 16 . 

For super-pseudorandomness, this threshold is larger than 13. 

— For d = 2, the theoretical sufficient number of secure rounds is 35 for pseu- 
dorandomness. 

— For the NUT-IV decorrelation module with d = 2, m = 128 and q = 2 32 + 15, 

the sufficient number of rounds is 42 pseudorandomness. 


3.2 MARS-like Feistel Scheme 

Similarly, we define the MARS-like generalized Feistel scheme denoted by e 
H m as () (x) = x and 

^((/l f r )(xi....,X k ) = 

■ ■ -,fr)(fl(xi) + X 2 ,ff(x l) + X 3 , . . • ,/i (Xi) + Xk, X\) 

where jj§ =(f 2 ,..., /f), /?, . . . , /f e H™ . 
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Fig. 2. MARS-like Feistel Scheme 


Lemma 9. For independent uniformly distributed random functions Ff £u H™ 
for i = 1, ... ,2k and j = 2. k and an integer d, we have 

De C P{j. |U (^(F*, . . . ,F fc * +1 )) < 2d 2 ■ 2"* 
DecPfj. ||s (^(F*,...,F 2 y)<2d 2 .2-x 

It can easily be shown that the number of rounds of k + 1 for pseudorandomness 
is actually minimal since a difference in the last input branch only remains 
unchanged after k rounds. Similarly, for 2k — 1 rounds, we can merge the first 
k — 1 branches and consider that we have a regular 3-round Feistel scheme, and 
we can apply the same attack for proving it is not super-pseudorandom. 

Proof (sketch). Using Lemma 5 we let y be the set of all (t/i, ■ ■ ■ ,yd) such that 
Vi 7 ^ Uj f° r i 7 ^ j • We get ei = d ^ d ~ 1 ^ > 2~^. We focus on the event that the first 
output after k — 1 rounds leads to no collision. We get €2 = d< ' d ~ 1 ^ 2~ ^ . 

For DecPfj || s we use the same event. □ 

This leads to the following conclusions about the MARS-like scheme with 
k = 4 branches and m= 128. 

— The threshold number of rounds is 5 for pseudorandomness and 8 for super- 
pseudorandomness, when d -C 2 16 . 

— For d = 2, the theoretical sufficient number of secure rounds is 25 for pseu- 
dorandomness and 40 for super-pseudorandomness. 

— For the NUT-IV decorrelation module with d = 2, m = 128 and q = 2 32 + 15, 
the sufficient number of rounds is as for the ideal case. 

3.3 RC6-like Feistel Scheme 

The RC6 block cipher is designed to be secure by mixing operations that are 
efficiently implemented on most modern processors. 

One controversial additional operation is the data dependent rotation. Such 
a scheme cannot provide pseudorandomness nor super-pseudorandomness. 3 In- 
deed, the attack in Gilbert et al. [6] exhibits an efficient polynomial time distin- 
guisher. 

3 As was mentioned by Joux during the third Advanced Encryption Standard work- 
shop, although Iwata and Kurosawa had claimed the opposite two days before at the 
FSE00 workshop [8] . 
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Fig. 3. RC6'-like Feistel Scheme 


However, we can consider RC6', a transformation of RC6 WITHOUT the 
data dependent rotations. The structure of RC6' can be regarded as a gener- 
alized Feistel scheme, which is similar to “Type-2 transformation” named by 
Zheng-Matsumoto-Imai [17] assuming that primitives are independent random 
functions. Formally, as the RCb'-like Feistel scheme { P 2 € H m is defined for k 
even and r a multiple of § , by () (x) = x and 

^(/l, • • • , fr){x\, • • • , Xk) = 

^(/i + i, • • ■ , fr){x- 2 , h{x A ) + X 3 , . . . , X k - 2 , fk (Xk) + X k - 1 , X k , fl(x 2 ) + Zl), 

where /i , . . . , g H™. We consider this as r rounds which are processed in 
bunch of | parallel rounds. 

Lemma 10. For independent uniformly distributed random functions Ff,..., 
F£ 2 £u H™ and an integer d, we have 

DecP[j. |U (^(Fi*,...,F| (fe+1) ))<^d 2 .2-- 

DecP[j. |U (^2(FiV..,F* 2 )) < yd 2 - 2 -t 

It can easily be shown that the number of rounds of |(fc + 1) for pseudorandom- 
ness is actually minimal. Tightness of the k 2 bound for super-pseudorandomness 
is still open. (We already know that it is tight for k = 2.) 

Proof (sketch). Similarly, we use Lemma 9 for evaluating DecPfj || a . For we 
let y be the set of all y such that yj ^ yj, for odd j and i < i'. We get 
ei = | x d{d ~ r > 2~ ! f . We consider the event in which all even entries after the 
( k — l)th bunch of rounds takes pairwise different values for xi, . . . , x,i- We get 
e 2 = |(fc-l) x ®%^2 -f. ThusDecFfj | U (F) < ^-d(d-l)2~f. For DecPfj. , u , 
we add k — 1 more bunch of rounds and study the probability that we get y if 
we invert them on yi , . . . , ya. The result comes from Lemma 6. □ 

This leads to the following conclusions about the RC6'-like scheme with k = 4 
branches and m = 128. 

— The threshold number of rounds is 5 for pseudorandomness and between 5 
and 8 for super-pseudorandomness, when d <C 2 16 . 
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— For d = 2, the theoretical sufficient number of secure rounds is 25 for pseu- 
dorandomness and between 25 and 40 for super-pseudorandomness. 

— For the NUT-IV decorrelation module with d = 2, m = 128 and q= 2 32 + 15, 
the sufficient number of rounds as the ideal case. 

3.4 SQUARE-like Scheme 

In this paper we discuss only the Rijndael scheme. The pseudorandomness of 
other SQUARE-like schemes will be described in the full paper. Let us formalize 
the Rijndael scheme on k 2 values by 

Z fc2 ) = 

r(/ 2 , . . . , / r )(MixCol(ShiftRow(/ 1 1 (xi), . . . , /f (a*0))) 

where /, = /.f ) , f) .... . ff e Hin . , the ShiftRow transformation is 

a fixed linear transformation on the rows of a k x k matrix which consists in 
mixing them, and the MixCol transformation is a fixed linear transformation on 
the columns [3]. 

Lemma 11. For independent uniformly distributed random functions Ff . . . . , 
Fg and an integer d, we have 

DecPfj.|| k p(FJ,...,F|)) < 2k 2 d 2 -2“# 

DecPfj.n^FT, . . . , F*)) < 2 k 2 d 2 ■ 2"# 

Thus achieving decorrelation to the order d > ^^2 does not seem possible 
with this design. (For m = 128 and k = 4, this is d = 2\/2.) 

It can easily be shown that the number of rounds of 3 for pseudorandomness 
is actually minimal. The tightness of the 5 bound depends on the instance of the 
cipher. 

Proof (sketch). We use Lemma 9 for evaluating DecPJ| || o . We let y be the set 

of all y = (j/j y t j) that take different values on all positions before the last 

MixCol and ShiftRow transformations. We have e\ = fc 2 d ( d ~ 1 ) 2~i^. We consider 
the event that after two rounds we obtain different values on all positions. Pro- 
vided that the MixCol transformation has good diffusion properties we obtain 

e 2 = □ 

This leads to the following conclusions about the Rijndael scheme with k 2 = 
4 2 branches and m = 128. 

— The threshold number of rounds is 3 for pseudorandomness and between 3 
and 5 for super-pseudorandomness, when d < 3. 

— For d = 2, the theoretical sufficient number of secure rounds is 384 for pseu- 
dorandomness and between 384 and 640 for super-pseudorandomness. 

— For the NUT-IV decorrelation module with d = 2, m = 128 and q = 2 s + 1, 
the bounds of decorrelation theory cannot guaranty any low decorrelation 
bias for any number of rounds. 
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Table 1 . Randomness of several schemes (when d, = 2, k = 4, m = 128) 


Scheme 

Feistel 

CAST256-like 

MARS-like 

RC6'-like 

Rijndael 

Ihreshold number 
of rounds for p.r. 

3 

7 

5 

5 

3 

sufficient number 
of rounds for p.r. (ideal) 

9 

35 

25 

25 

384 

sufficient number 
of rounds for p.r. (NUT-IV) 

9 

42 

25 

25 

oo 

of rounds for s.p.r. 

4 

> 13 

8 

5-8 

3-5 

sufficient number 
of rounds for s.p.r. (ideal) 

12 


40 

25-40 

384-640 

sufficient number 
of rounds for s.p.r. (NUT-IV) 

12 


40 

25-40 

oo 

Example 

Twofish, 

DFC 

CAST-256 

MARS 


Rijndael 


Note: “p.r.” and “s.p.r.” mean pseudorandomness and super-pseudorandomness, re- 
spectively. 


4 Conclusion 

We studied the randomness provided by several schemes used in block ciphers. 
We focused on the schemes for AES candidates in particular (see Table 1). The 
randomness so discovered is a good measure for evaluating the security from a 
randomness viewpoint but the readers should take care to note that it doesn’t 
show the actual security of a cipher based on one of the schemes. To study the 
intrinsic security provided by the general schemes, we decomposed the ciphers 
into a general scheme and internal primitives, ignoring the components that we 
considered do not affect its randomness. We also assumed that internal primitives 
are ideal random ones. 

The results in Table 1 show that the regular Feistel scheme is the best 
in that it requires the fewest number of rounds for pseudorandomness and 
super-pseudorandomness. However, when comparing the randomness of several 
schemes we should take account of the computational cost of random primitives. 
For example, for the Feistel scheme we assume the random functions on {0, l} 64 , 
and for the CAST256-like 4 , MARS-like, and RC6-like schemes, we assume the 
random functions on {0, l} 32 , whose computational cost is much cheaper than 
the former. Under the same assumption of the computational cost of random 
functions on {0, l} 32 , the MARS-like scheme is the best. Table 1 separates the 
schemes according to the size of the internal random functions. 

Our results show that the schemes that use random primitives with smaller 
input/output sizes are less secure, which is not surprising because the random- 
ness bias is larger in these cases. We should interpret these conclusions with 
great care. Indeed, our results do not mean that Rijndael (or Serpent 5 ) is not 

4 Table 1 considers the Pi structure only and not the P^ 1 o P\ scheme on which 
CAST256 is based. This latter scheme increases the threshold number of rounds for 
p.r. to 12. 

5 A preliminary study suggested that the Serpent scheme requires too many rounds 
for randomness, because the size of primitives is too small (4 bits). 




On the Pseudorandomness of Top-Level Schemes of Block Ciphers 301 


secure, or less secure than regular Feistel schemes. Rather they mean that the 
latter can benefit from stronger security arguments: we can prove that an ef- 
ficient attack against — say Twofish — must use an unexpected property of 
the round function, whereas an attack against Serpent may hold for any set of 
(random) S-boxes. 
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Abstract. This paper describes some attacks on word-oriented stream 
ciphers that use a linear feedback shift register (LFSR) and a non-linear 
filter. These attacks rely on exploiting linear relationships corresponding 
to multiples of the connection polynomial that define the LFSR. 
Keywords: stream ciphers, cryptanalysis, SOBER, t-class, SSC-II. 


1 Introduction 

This paper presents new attacks on word-oriented stream ciphers constructed 
from a linear feedback shift register (LFSR) and a non-linear filter (NLF). These 
ciphers are constructed from operations on blocks of bits called words, where the 
length of a word is denoted by w. In particular this paper analyses what we call 
SOBER-like ciphers (based on the SOBER family of ciphers [8,12,13,14]) and 
S SC-like ciphers (as used in SSC [15], and SSC-II [16]). 

The LFSR of a SOBER-like cipher produces a stream {s t } of w-bit words 
using operations over the Galois field of order 2 W , which is denoted GF( 2 W ). The 
words s t are called L-words and the stream is called the L-stream. The L-words 
(so, . . . , ,s r _i) are initialised from the secret key (some ciphers also initialise using 
a resynchronisation value). The remaining words are produced by iterating a 
linear recurrence s t + r = E[=o a * s t+L where ay e GF(2 W ) are constant, and 
multiplication and addition are performed over GF(2 W ). Addition over GF( 2 W ) 
is equivalent to bit-wise exclusive-OR (XOR). The LFSR is represented by the 
connection polynomial : p(x) = ® r + E[=o > where, once more, multiplication 
and addition are performed over GF( 2 W ). The set of exponents of p(x) with 
nonzero coefficients is called the LFSR tapset, denoted T. The LFSR of an SSC- 
like cipher differs in that it uses bit rotations rather than field multiplications 
and is based on a bit-wise LFSR (more details are given in Sect. 2). The vector 
o t = (s t , . . . , st+ r _i) in either cipher is known as the state of the LFSR at time 
t. 

The L-stream is fed through an NLF to produce the N-stream {v t = F(a t )}. 
The words v t are called N-words. SOBER-like ciphers use an LFSR with a large 
state oy, and the NLF relies on a small, fixed subset of the words in ay. That is, 
we can write v t = F(s t+7l , . . . ,s t+7a ), where F = { 71 , . . . , 7 a } C {0, . . . , r - 1}, 
is the NLF tapset. SSC-like ciphers, on the other hand, use an LFSR with a 
small state, and the NLF relies on the entire state. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 303-316, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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SOBER-like ciphers use an LFSR, an NLF and a form of decimation called 
stuttering (described in Sect. 3). The resulting stream, denoted {z n }, is the key 
stream. The stuttering chooses which N-words will be output to the key stream. 
The stuttering is intended to, and appears to, defeat attacks requiring large 
amounts of output, such as correlation attacks [4,10]. However, the stuttering 
merely adds an almost constant factor to the complexity of the attacks described 
below. 

In the analysis of stream ciphers based on bit-wise LFSRs, cryptanalysts 
found that attacks could be improved by exploiting linear relationships in the 
L-stream other than that expressed by the linear recurrence (see for exam- 
ple [4,6,10]). Such linear relationships correspond to multiples of the connection 
polynomial: the polynomial r(x) = p(x) ■ q(x) = J2i= o e i x '^ corresponds to a 
linear relationship of the form ]T" =0 e+s t +i = 0. For the remainder of the paper, 
a multiple refers to either a multiple of the connection polynomial or the linear 
relationship corresponding to that multiple. The main purpose of this paper is 
to provide examples of word-oriented stream ciphers for which the multiples can 
lead to low complexity attacks. 

The first example is a component of the word-oriented stream cipher SSC- 
II [16]. SSC-II consists of two half-ciphers producing streams that are XORed 
to form the output. One of these half-ciphers is based on a 4-word LFSR (each 
word consists of 32 bits), with an NLF and no stuttering. The LFSR is based 
on a simple 127-bit, bit-wise linear recurrence that appears difficult to exploit 
due to the word-oriented structure of the NLF. However, a power of the bit-wise 
connection polynomial results in a linear relationship between corresponding 
bits of s t , .St +63 and .St+m- This paper describes how this relationship can be 
exploited in an attack of complexity c(2 417 ) against the LFSR-half cipher, where 
c(N ) indicates that the complexity is expected to be a small multiple of N. The 
authors would like to emphasise that this attack on the half-cipher does not 
defeat the entire SSC-II cipher. 

The attack on the SSC-II half-cipher is due to the bit-wise connection polyno- 
mial of the LFSR having extremely low weight (that is, a low number of terms). 
If the LFSR was based on a higher-weight connection polynomial, but there was 
some low- weight, low-degree multiple r(x), then a similar attack could be applied 
using this multiple. The linear recursion over GF( 2 W ) in a SOBER-like cipher can 
be shown to be equivalent to implementing w parallel bit-wise LFSRs of length 
wr over GF( 2), see [9]. The constants a, are chosen so that the bit-wise LFSR 
has many terms (high weight). This property defeats attacks similar to the above 
attack, as well as defeating other attacks designed for stream ciphers employing 
bit-wise LFSRs. The most successful attacks against SOBER-like ciphers have 
been what we call guess- and- determine (GD) attacks [1,2,3,7,8,12,13]. These GD 
attacks are based on exploiting two relationships: the linear relationship between 
L-words described by the LFSR; and the relationship between L-words and the 
key stream defined by the NLF. However, previous attacks have not exploited 
any further linear relationships. 
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The latest edition SOBER ciphers, the t-class [8], contains three ciphers: t8, 
tl6 and t32. The cipher tl6 is currently being assessed for use in “third genera- 
tion” mobile communication systems, while t32 is being implemented for encryp- 
tion in mail transfer sessions between e-mail servers. Thus far, our research into 
the t-class has not found any GD attacks exploiting further linear relationships 
that can decrease the complexity below that of previously known GD attacks. 
However, we have observed that multiples can lead to low-complexity GD attacks 
on other SOBER-like ciphers. This is demonstrated by a dummy SOBER-like 
cipher, TIPSY, for which the best GD attacks exploiting only the LFSR and 
NLF have complexity c(2 150 ). Our search method found a GD attack exploiting 
further linear relationships for which the complexity is reduced to c(2 117 ). 

The paper is arranged as follows. Section 1.1 introduces some definitions. 
Section 2 describes the analysis of the LFSR half-cipher in SSC-II. Section 3 
introduces GD attacks and the cipher TIPSY is analysed. Section 4 describes 
our method for finding GD attacks. Conclusions and areas for further research 
are discussed in Sect. 5. 


1.1 Definitions 

For any t > 0, we define a candidate L-word u t to be a guess for the value of 
the L-word s t , and define a candidate state m. = ■ . . , u t+r - 1 ) to be a guess 

for the value of a t . We consider that an LFSR-based stream cipher is broken 
once the initial state of the LFSR has been determined. One method by which a 
stream cipher can be attacked is to search through every candidate m until the 
value of a t is found (this process is commonly known as guessing). A candidate 
state is tested (to see if it is correct) by constructing a key stream using this 
value /, i t , and comparing the resulting key stream with the observed key stream. 
If the two streams match then the candidate is correct. In general, the large size 
of the register and the corresponding large number of possible candidate states 
make any such attack prohibitive. 

2 Analysis of SSC-II 

SSC-II [16] was proposed by Zhan, Carroll and Chan, and is based onw = 32-bit 
operations and «;-bit words. The cipher consists of two half- ciphers: each half 
cipher produces a stream of 32-bit words and these streams are XORed to form 
the output. One half-cipher uses a lagged Fibonacci Generator which is based on 
addition modulo 2 32 and is not considered here. The other half-cipher is based 
on a four-word LFSR. This LFSR produces an L-stream of 32-bit L-words {,s t } 
by iterating the linear recurrence: s t + 4 = s t+ 2 ® (st+i « 31) © (s't >> 1), 
where a « b (a » b ) denotes left (right) shifting of a by b bits. The bit- 
shifts are not cyclic: the remaining values are filled with zero bits. We denote 
the corresponding bit-stream by {&*} where b-^it+j = Si[j], the j-th bit of s t , 
0<j< 31, t > 0. The bit stream {&,} can be produced by a bit-wise LFSR with 
linear recurrence frj+m = &i +63 + h (mod 2). The LFSR in SSC-II calculates 
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32 bits of the L-stream simultaneously. SSC [15] employs an LFSR based on a 
similar principle. 

The LFSR half-cipher has an NLF containing: addition modulo 2 32 , denoted 
by EE ; 32-bit XOR; swapping the higher and lower order halves of the 32-bit 
word, denoted by SWAP-, and including the carry resulting from adding words, 
where — > denotes outputting this carry. Let denote the word s t with the least 
significant bit (LSB) set to one. The N-word v t is determined from the state 
a t = (.s t , St+3) as follows: 


A = s* t B s t+ 3 -+ ci, B = SWAP(A), 

C = BE ( s t+2 0 (ci • Sf)) —> C 2 , Vt = C 2 EE (st+i 0 st+ 2 ) EE C, 

where ci • sf = 0 if ci = 0 and ci • = s ^ if ci = 1. 

Note 1. Let p{x) = x 127 + x 63 + 1 denote the connection polynomial for the bit 
stream {&*}. Due to cancellation of terms, p 2 (x) = x 127 ' 2 + x 63 ' 2 + 1, jft(x) = 
2,127-4 _|_ 2;63-4 _|_ ^ so fo^h. Thus, p 32 (x) = x 127 ' 32 + x 63 ' 32 + 1, indicating 
that &i+i27-32 = h + 63.32 + 6*. This implies that Sj+mM = St+e^rn] + s t [m], for 
each m, 0 < to < 31, and thus s t+ i 2 7 = St+63 0 s t . 

This linear relationship is likely to lend the LFSR half-cipher to a fast cor- 
relation attack. The authors are currently analysing SSC-II to assess the com- 
plexity of such an attack. The following attack illustrates an alternative method 
of exploiting this linear relationship. The 32-bit words are first divided into two 
16-bit half-words: for example, s t +i = sH t+i \\sL t+ , and v t +j = vH t+ j \\vL t+ j. 
Note that the half-word N-words vH t and vL t are functions of the half-words 
sH t+i and sL t+i , 0 < i < 3, using addition modulo 2 16 (denoted by El ), 16-bit 
XOR and carries d t from the addition of the lower half-words: 

AL = sLf El sLt- 1_3 — * d\ , AH = sHt EE sHt+% H d\ — > ci , 

CL = AH El {sL t+ 2 0 (cj • «/.*)) ^ d 2 , 

CH = AL E {sH t+ 2 0 (ci • sH t )) E d 2 — > c 2 , 
vLt = c 2 EB (.s/.(^_i '0 sLt- 1 _ 2 ) E CL — * d$ , 
vH t = (sHt+% 0 sHt+i) E CH E d 3 . 

(The SWAP step is integrated into the evaluation of CL and CH). If the values 
of ci e {0,1}, (c 2 Bdi) e {0,1,2} and (d 2 B ^3) £ {0,1,2} are known, then 
the NLF half-word outputs can be written as: 

vL t = sH t B sH t+ 3 B (sL t+2 ® (ci • sL^)) B (sL t+ i ® sL t+2 ) B (c 2 B di) , 
vH t = sL^ B sLt + 3 B ( sH t + 2 ® (ci • sH t )) B ( sH t+ i ® sH t+2 ) B (d 2 B c?3) . 

For fixed values of ci, (c 2 B d \ ) and (d 2 B ds], the expression for the LSB of 
vL t provides a linear relationship between the LSBs of sL* t , sH t , sL t+ \ and 
sH t + 3. Similarly, the expression for the LSB of vH t provides a linear relationship 
between the LSBs of sLf, sH t , sH t+ 1 and sL t+ 3. The LSB of sL $ is one, so this 
can be ignored. 
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Consider the sets X = {0, 1, 2, 3, 63, 64, 65, 66, 126, 189}, 

Y = (0, 63, 126, 127, 189, 190, 253, 254, 317, 381}, and 

Z = (0, 1, 2, 3, 63, 64, 65, 66, 126, 127, 128, 129, 130, 189, 190, 191, 192, 193, 

253, 254, 255, 256, 257, 317, 318, 319, 320, 381, 382, 383, 384} . 

The values of L- words St+j, j £ Z, can be derived from values of the L- words 
s t +i, i £ X, by applying the equation in Note 1. For example, St+127 = *7+63 ®s t , 
and St+191 = St+127 ® St+64- Thus, each L-word s t +j , j £ Z, can be expressed 
as s t +j = 0-,cx flj,i s t+i-, where ( 3 j.i £ {0,1} for i £ X. Furthermore, these 
equations relate bits of the L- words s t +j, j £ Z, to corresponding bits of the 
L-words s t +i, i £ X: s t +j[m\ = © ie x / 3 j,iSt+i[™], for each m, 0 < m < 31. 
Note that the values of the 10 N-words v t +j, j £Y rely on the set L-words s t +j, 
j £ Z. Each bit of these L-words St+j, j £ Z is, in turn, a linear function of the 
corresponding bits in 10 L-words s t +i, i £ X. Candidates u t+ ,, i £ X, for the 
L-words s t +i i i £ X, are determined as follows. 

^Frorn the expressions for the 20 half-word outputs vL t+J and vH t +j , j £Y, 
we get 20 linear equations in the LSBs of uH t +j, uL t +j+ 1 , uH t+1+i , uL t +j+3 
and uH t +j+ 3, j £ Y. The attacker guesses the values of of m, (C2 EB <h ) and 
(c?2 EB (h) in the expression for each N-word v t +j, j £ Y. For each of the 10 N- 
words there are 2 possible values for cj , and 3 possible values each for (C2 EB d\) 
and (c?2 EB d :i ). Therefore, the total number of guesses is (2 • 3 2 ) 10 = 2 4L7 . These 
values are subtracted from the expressions for the 20 half-word outputs vL t +j 
and vH t+ j, j £ Y, to get 20 linear equations in the LSBs of uH t+ j, uLt+j+i, 
uH t+ j+ 1 , uL t+ j+3 and uH t +j+ 3 , j £ Y. As noted above, each of these LSBs is, 
in turn, a linear equation in the LSBs of uL t +i and uH t +i, i £ X. Thus the 
attacker obtains 20 linear equations in the LSBs of uL t +i and uH t +i, i £ X 
(these LSBs represent a total of 20 bits). These equations are solved to obtain 
the LSBs of uL t+i and uH t+ i, i £ X . ^From these LSBs, the attacker determines 
uL t +j and uH t +j, j £ Z, which enables the attacker to determine the carries up 
to the second LSBs of vL t +j and vH t +j, j £ Y. After subtracting these carries, 
the attacker now has 20 linear equations in the second LSBs of uH t +j, uL t +j+ 1 , 
uH t +j+ 1 , uL t +j+3 and uH t +j+ 3 , j £ Y. Once again, each of these bits is a linear 
equation in the second LSBs of uL t+i and uH t+i , i £ X. The attacker obtains the 
system of 20 linear equations in the second LSBs of uL t+i and uH t+i , i £ X (20 
in total), and solves this system to obtain these values. This process is repeated 
to obtain all of the bits in uL t+i and uH t+i , i £ X. These candidates (uL t+ j 
and uH t +j, j £ X) combine to form several full states, any of which may be 
tested (by producing some of the N-stream and comparing it with the observed 
key stream). 

As mentioned above, the total number of guesses is 2 417 , so the process com- 
plexity of the attack is c(2 417 ). The data complexity of the attack is small: the 
attacker requires v t +j, j £ Y, for a single t, which will require observing 382 
consecutive key-stream words. This attack is feasible for one primary reason: 
the bit-wise connection polynomial has a small number of terms. The attack 
would also have been feasible if there was a low- weight, low-degree multiples of 
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the bit-wise connection polynomial. However, the attack cannot be applied if the 
weight of the multiple is sufficiently high, or the degree is sufficiently large, for 
the following reasons. A high-weight multiple of the bit-wise connection polyno- 
mial would require more equations in the N-words before system of bit-wise lin- 
ear equations was solvable. Consequently, more values of ci, (C2 B (h). (<A> B (h ) 
would be guessed, increasing the complexity and rendering the attack infeasible. 
On the other hand, if the degree of the multiple exceeds the maximum number 
of key-stream words produced from a single initial state, then this relationship 
cannot be exploited, regardless of weight. 


3 Guess-and-Determine Attacks 

The LFSRs of SOBER-like ciphers correspond to bit-wise connection polynomi- 
als with extremely large numbers of terms. For example, the LFSR of tl6 has 
a corresponding bit-wise connection polynomial with approximately 136 terms. 
This property helps SOBER-like ciphers resist the kind of attack described in the 
previous section. The most successful attacks [1,2,3,7,14,13,12] against SOBER- 
like ciphers have been GD attacks (there is no common name for these attacks). 
The following example describes a dummy SOBER-like cipher which is used to 
demonstrate how GD attacks are performed, and how GD attacks can, in some 
cases, be improved by exploiting multiples. 

Example 1. TIPSY is a SOBER-like cipher designed for w = 16-bit processors, 
so the words are 16-bits long and all operations are 16-bit operations. TIPSY 
uses the LFSR tapset T = {0,1,4,13} and the NLF tapset r = {0,5,10,11}. 
The linear recursion is of the form st+13 = .St+4+S't+i +as t . where a = OxEDED, 
and addition and multiplication are performed over GF(2 16 ). The corresponding 
connection polynomial is p(x ) = x 13 + x 4 + x + a. The NLF is of the form: 
v t = F(s t , s t+ 5, St+10. St+11) = f(st EB St+11) EQ st+5 EE3 s t +io, where EH denotes 
addition modulo 2 16 and / is a fixed, nonlinear, one-to-one 16-bit 5-box. TIPSY 
decimates the N-stream to form the key stream using the same stuttering as tl6 
(the stuttering is described in Sect. 3.1). 

As mentioned in Sect. 1.1, a stream cipher can be broken by guessing the 
value of any state a t , but the large size of the register and the corresponding 
large number of possible candidate states make any such attack prohibitive. GD 
attacks guess only a small set of candidate L-words, rather than an entire state. 
These attacks then use some observed N-stream words, and the relationships 
resulting from the LFSR and the NLF, to determine an entire state from this 
smaller set of L-words. 

Example 2. In attacking TIPSY, if u t , u t + 1 and iq+13 are guessed, then u t + 4 
can be determined as ut + 4 = ut+i 3 + u t +i + au t - Alternatively, if u t + 5, «t+io and 
itt+ii are guessed then u t can be determined from v t : if B denotes subtraction 
modulo 2 16 , then u t = / _1 (n t B (u t+ 5 EBu t+ io)) B u t + n- 
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These two processes of determining L-words are called D-exploiting the LFSR 
and NLF respectively (the ‘D’ is for ‘determine’). Note that, for TIPSY, D- 
exploiting the LFSR and NLF is computationally equivalent to c(l) encryption. 
The same applies to the t-class ciphers. D-exploiting the NLF is not a new 
concept: inversion attacks [6] and the generalised inversion attacks [5] are based 
on a similar approach. 

Given a suitable portion of the iV-stream, 1 previous GD attacks were based 
on guessing candidates for a small set of L-words, D-exploiting the LFSR and 
NLF to determine a full candidate state, and then testing this candidate 
state. These analyses of SOBER-like ciphers examined only those GD attacks 
that exploit the relationships explicitly defined by the LFSR and NLF. This 
paper extends the range of GD attacks by D-exploiting further multiples. There 
are simply too many multiples to begin searching for all attacks exploiting all 
possible multiples. Consequently, a method has been developed for reducing the 
amount of work by considering multiples that are more likely to lead to improved 
attacks: the rationale behind the authors’ approach is described in Sect. 4. Using 
this method, the authors conducted a search for attacks exploiting polynomials of 
degree 2 r (twice the degree of p(x)) or less and with 10 or less terms. This method 
cannot be guaranteed to find the best attack, as there may be some other high- 
weight or high-degree polynomial which can be exploited in a low complexity 
attack. However, the existence of such an attack becomes more unlikely as the 
weight and degree of the polynomials increases. 

When applied to the t-class ciphers, the analysis described in Sect. 4 re- 
vealed that the additional linear relationships did not provide an attack of lower 
complexity than was already known. However, the analysis of TIPSY did find 
improvements by exploiting further multiples. The lowest complexity GD-attack 
D-exploiting only the LFSR and NLF of TIPSY has complexity c(2 128 ), given 
a suitable portion of the N-stream. Using the method described in Sect. 4, the 
authors found the following attack of complexity c(2 96 ), given a suitable portion 
of N-stream, a significant improvement. 


Example 3. Table 1 describes an GD attack on TIPSY that D-exploits the LFSR, 
the NLF and the following multiples: 

p 2 (x) = x 26 + x 8 +x 2 + a 2 , 
ri(x) = ( x 9 + x 6 + x 3 + 1) • p(x) 

= x 22 + x 19 + x 16 + ax 9 + ax 6 + ax 3 + x + a , 
r 2 (x) = (x 12 + ax 11 + a 2 x 10 + x 6 + x 3 + ax 2 + a 2 x + 1) • p(x) 

= x 25 + cur 24 + a 2 x 23 + x 19 + (a 3 + l)x 10 + a 2 x 5 + (a 3 + l)x + a . 

To perform the attack, a portion of the N-stream must be observed, including 
v t +i, i £ {4,7,11,12,17,18,22,23} for some value of t. Let <j> t denote the six- 

1 The problem of obtaining a suitable portion of N-stream from the key stream is 

addressed in Sect. 3.1. 
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word candidate vector <j> t = (u t +i 2 ,u t +i 4 ,u t +i 5 , Ut+ 17 , Ut+ 22 , tR+ 27 ). For a given 
value of (f> t , Steps 2 to 18 in Table 1 determine candidates for the 17 L- words: 

s t+i , i € {4, 5, 6, 7, 8, 9, 18, 21, 23, 25, 28, 29, 30, 32, 33, 34, 41} . 

For example, in Step 2, the value of ut+ 23 is determined from the values of v t +\ 2 , 
u t + 12 Wt+ 17 , and Ut +22 by D-exploiting the NLF: 

Wt+23 = f ~ 1 {Vt+ 12 El («t+ 17 B Ut+ 22 )) B U t + 12 - 


Table 1. A GD attack on TIPSY exploiting the LFSR, the NLF, p 2 (x), r-j (x) and 
r 2 (x), given v t+i , i e {4, 7, 11, 12, 17, 18, 22, 23}. “Action” indicates the following 
actions: C, perform an NLF check; G, guess values; L, D-exploit the LFSR; N, 
D-exploit the NLF; n, D-exploit the multiple ri(a;); r 2 , D-exploit the multiple 
r 2 (x); S, D-exploit the square of the connection polynomial (p 2 (x)): T, test 
the given candidate state. In the next two columns a candidate L-word ut+i is 
indicated using the value of i. “Used” indicates those values used to determine 
or check the value indicated in the “Det.” column. 


Step 

Act. 

Values 

Used 

Det. 

Step 

Act. 

Values 

Used 

Det. 

1 

G 


12,14,15, 

13 

L 

4,5,17 

8 




17,22,27 

14 

L 

8,9,12 

21 

2 

N 

u t+ i2, 12, 17,22 

23 

15 

L 

17,18,21 

30 

3 

N 

ut + i7,17, 22,27 

28 

16 

S 

4,12,30 

6 

4 

S 

15,17,23 

41 

17 

ri 

6,7,9,12,15,22,28 

25 

5 

L 

14,15,27 

18 

18 

L 

21,22,25 

34 

6 

N 

Vt+ 7 , 12, 17, 18 

7 

19 

C 

23,28,33,34 

Ut+23 

7 

N 

ut+is, 18, 23, 28 

29 

20 

G 


11 

8 

L 

28,29,41 

32 

21 

N 

u*+ n,ll,21,22 

16 

9 

N 

ut+22, 22, 27, 32 

33 

22 

L 

12,16,25 

13 

10 

S 

7,15,33 

9 

23 

S 

8,16,34 

10 

11 

N 

ut+4, 9, 14, 15 

4 

24 

T 

/Ut+4 


12 

T2 

4, 9, 14, 23, 27, 28, 29 1 

5 






Note that the L-words s t +i, i £ {23, 28, 33, 34}, are the inputs to the NLF pro- 
ducing v t +23, and candidates for all these inputs are known after Step 18 is per- 
formed. However, vt+ 23 has not been used to determine any of these values when 
exploiting the NLF, so these candidates are independent of the value of vt+ 23 . 
Clearly, if the candidates in are correct, then F(ut+ 23 > '«t+ 28 ; Ut+ 33 , Ut+ 34 ) = 
v t +23- If F(u t + 23 , u t + 28 , «t+ 33 , «t+ 34 ) ^ ^t+ 23 , then at least one of the candidates 
in <j>t is incorrect, and there is no use in completing any further steps. This infor- 
mation can be used to eliminate incorrect values of <j) t using a process called an 
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NLF check. If F(u t + 23 ,Ut+ 23 ,ut+ 33 , Mt+ 34 ) = v t + 23 , then the vector <j) t , is said 
to pass the NLF check, otherwise it fails. If <j>t fails the NLF check in Step 19, 
then the attack returns to Step 1 and tries another guess for <j> t , otherwise the 
attack proceeds to Step 20. 

At Step 20, a candidate u t + n for s t+ n is guessed. Steps 21, 22 and 23 
determine candidates u t +ie, «t+i 3 and «t+io- Thus after Step 23, a candidate 
state Ht +4 = (u t+ 4 , . . . , Mt+ie) for the state a t +4 has been determined. This 
candidate state p t +4 is then tested in Step 24. If p t+4 is incorrect, then the 
attack returns to Step 20 and guesses another value for u t+ n, unless all values 
for ut+ n have been tested for a given value of <pt, in which case the attack returns 
to Step 1 and guesses another value for <j> t . 

There are 2 6w = 2 96 possible values for 4>t, so performing Steps 1 to 19 is 
computationally equivalent to c(2 96 ) encryptions. As the NLF is balanced, only 
one in 2 W = 2 16 values of <pt will pass the NLF check. Thus, only 2 80 values 
of (j} t will proceed to Step 20. There are 2 16 values for u t +ri, so Steps 20 to 24 
are performed 2 80 • 2 16 = 2 96 times: equivalent to c(2 96 ) encryptions. Therefore, 
the total complexity of the attack is equivalent to only c(2 96 ) + c(2 96 ) = c(2 96 ) 
encryptions. 


Note 2. This attack clearly exploits the property that TIPSY has two pairs of 
NLF taps which are 5 words apart, contravening criteria suggested by Golic [6] 
and Lohlien [11]. 


3.1 Accounting for the Stuttering 

The stuttering decimates the N-stream {/c; t } as follows. The first output of the 
NLF (m) is the first stutter control word (SCW). Each SCW is partitioned into 
eight pairs of bits (each pair is called a dibit). Beginning with the least significant 
dibit, the stuttering reads the value of the dibit and performs one of four actions 
according to the value of the dibit. The actions corresponding to the dibits are 
shown in Table 2. When all the dibits have been read, the LFSR is cycled, and 
the output of the NLF becomes the next SCW. The resulting stream, denoted 
{z n }, is the key stream. 

The stuttering decimates the N-stream in a random manner, so that consec- 
utive key-stream words may or may not be consecutive N-stream words. This 
results in some uncertainty in relating the position of N-words to position of 
key-stream words. Furthermore, this uncertainty increases with the distance (in 
words) between key-stream words. This helps defeat attacks which require large 
amounts of key stream, such as correlation attacks. However, the stuttering does 
not add much resistance against GD attacks. 

Example 4 . Consider the attack in Example 3. This attack requires the attacker 
to know the values of Vt+i, i £ {4, 7, 11, 12, 17, 18, 22, 23}. To perform this attack, 
the attacker must assume that at a certain point in the key stream, one or more 
SCWs have a particular value or values which allow the appropriate N-words to 
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Table 2. The actions of the stuttering corresponding to the four possible values 
of the dibits. 


00: 

Cycle the LFSR, but do not output anything. 

01: 

Cycle the LFSR, output the NLF output XOREd with 0x6996, 


then cycle the LFSR again (without producing another output). 

10: 

Cycle the LFSR once (without producing any output), 


then cycle the LFSR again and output the NLF output. 

11: 

Cycle the LFSR and output the NLF output XORed 


with the bit-wise complement of 0x9669. 


be obtained from the key stream. Given a suitably large amount of key stream, an 
attacker can assume that for some values of t, v t +3 = (01, 10, ab, 01, 10, cd, 10, 01) 
where ab,cd e {01,10}, and v t +3 is an SCW. The key stream output by this 
SCWs will be: 


z n = v t+ 4 ® 0x6996, z n+ 1 = v t+ 7 , 
z n+ 2 = v t+s ® 0x6996 OR z n+ 2 = n t+9 , 
z„+3 = Vt+n, z n+ 4 = ut+12 ® 0x6996, 

z n+5 = Vt+14, ® 0x6996 OR z n+5 = v t+ i5, 
z „+ 6 = Vi- 17, Zn+7 = V t+ 18 ® 0x6996, 


The next SCW will v t + 20 - The attacker can assume that for some value of f, not 
only is v t +3 of the above form, but v t + 2 o is also of the form v t+ 2o = (..., 01, 10), 
If this is the case, then the next key-stream words are z n+ s = v t +22 and z n+ 9 = 
v t + 23 ® 0x6996. 

Thus, assuming that the values of the SCWs are correct, the attacker is 
able to determine the N-words from the key stream, and perform the attack in 
Example 3. There are two obstacles. First, the attacker does not know when the 
SCWs have these values, and second, the attacker does not even know where 
in the key stream the SCWs occur. As a result, the attacker proceeds through 
the key stream assuming that each sequence of 10 key-stream words was derived 
from the N-stream using the SCWs in Example 4, and performs the steps in 
Example 3 until the correct state is found. Let N denote the data complexity, 
equal to the number of times that the process in Example 3 is repeated. The 
expected value of N is the inverse of the probability that a random portion of 
key stream was obtained from the N-stream using the SCWs in Example 4. This 
probability is determined as follows. Firstly, consider the probability that the 
first key-stream word is the first word output by an SCW. There are an average 
of 6 key-stream words output for every SCW, so this is 1/6. Secondly, ignoring 
the requirement that Vt + 4 be an SCW, the values of v t +A and vt+20 are of the 
correct form (in this example) with probability 2 -18 . The combined probability 
is g -2 -18 ss 2 -20 - 6 . Consequently, N = 2 20 6 is the expected data complexity and 
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the expected process complexity of the attack is c(2 20 6 • 2 96 ) = c(2 116 6 ). The 
GD attack on TIPSY exploiting only the LFSR and NLF (of process complexity 
c(2 128 ), given the N-stream) would correspond to an attack of process complexity 
c(2 150 ), when considering the stuttering. 

4 Searching for GD Attacks 

This section provides a brief description of the authors’ method of searching for 
GD attacks. In this section, the tapset of any polynomial r(x) = Xq=o is 
defined to be T[r(x)] = {I : Cj ^ 0}, and the number of non-zero coefficients of 
r(x) (equal to |T[r(a;)]|) is called the weight of r(x). 2 A GD attack is defined 
by a set of steps where the LFSR, the NLF and other multiples are D-exploited 
to determine a candidate state from a small set of candidate L-words. It is 
the tapsets (of the LFSR, NLF and multiples) that determine which candidate 
L-words can be determined from a given set of candidate L-words. Thus, the 
existence of a GD attack is determined by the tapsets of the LFSR, NLF and 
multiples, and not other details of the relationship such as the coefficients. In the 
case of a bit-wise LFSR, finding the tapsets for the multiples is simple because the 
tapsets of the the factors p(x) and q(x) define the polynomials and hence define 
the tapset of the product r(x) = p(x) ■ q(x). However, in a word-oriented LFSR, 
there can be many factors q(x) with the same tapsets (but different coefficients) 
for which the products p{x) ■ q(x) have different tapsets. This adds significant 
complication to the search for GD attacks. In addition to this complication, 
there is a very large set of multiples (and their tapsets). Consequently, the task 
of searching for the optimal GD attack (the GD attack of lowest complexity) is 
still an open problem. 

The search for GD attacks can be approached from two directions. One ap- 
proach is to have a growing set of multiples to exploit, where the search program 
constantly tests for all multiples that can be D-exploited given the set of L-words 
that are currently known. This approach has not yet been implemented, although 
the authors are in the process of developing such a program. 

The second approach divides the search into two parts: a polynomial search, 
that determines a set of multiples B to exploit; and a B- attack search, that 
examines the GD attacks exploiting the NLF and the polynomials in B. The set 
B is called an GD basis and is always assumed to contain p(x). 


4.1 The B- Attack Search 

The B-attack search finds a GD attack which minimises the complexity of the 
GD attacks exploiting the NLF and the polynomials in B. The B-attack search 
chooses a subset of L-words to guess, and finds the position of all L-words that 
could be determined by exploiting the NLF and the polynomials in B. If these 

2 Note that D-exploiting r(x) is computationally equivalent to at most c(|T[r(a:)]|) 
encryptions. 
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L-words do not comprise a full state, then an additional L-word is guessed, and 
the process repeated. This continues until all L-words in an entire state are 
determined. Alternatively, if guessing an additional word will result in an attack 
with complexity larger than that of the best known attack, then the B-attack 
search tries another subset of L-words. To ensure that the B-attack search does 
not proceed indefinitely, the authors bounded the distance between the first 
L-word guessed and any determined L-words to a maximum of four register 
lengths. 

4.2 The Polynomial Search 

The speed of the B-attack search decreases as the size of B increases, so the 
aim of the polynomial search is to find a small set of multiples that are likely 
to find the best attack. Intuition suggests that a multiple r(x) is more likely 
to be D-exploited if the corresponding linear relationship is between a small 
number of L-words. That is, r(x) is more likely to be exploited if it has low 
weight. Consequently, the first criterion used for selecting multiples for the set 
B is that they have low weight. Now, suppose that the polynomial search is 
considering adding a multiple r(x) to B. Suppose that whenever r(x) is D- 
exploited, some combination of multiples can be D-exploited to determine the 
same L-word. Such multiples are redundant and should not be added to B. Hence, 
the polynomial search looks for a set of low-weight, non-redundant multiples 
of p(x). The polynomial search takes a polynomial p(x), and two bounds D 
and W on the degree and weight of the polynomials to be added to the GD 
basis. The polynomial search looks through the multiples of degree < D and 
with weight < W : any non-redundant multiples are added to the GD basis. The 
polynomial search fixes a tapset T' and considers the tapsets of r(x) = p{x) ■ q(x) 
when T[q{x)\ = T' . Note that for a given T', all these multiples r(x) will share 
some similar characteristics. There will be some coefficients of r(x) which will be 
certain to be zero (in the zero positions) , there will be some coefficients which will 
be certain to be nonzero (in the nonzero positions), and the remaining coefficients 
could be either zero or nonzero, depending on the cancellation of terms in the 
expansion of p(x) ■ q(x), (the zero-or-nonzero positions). ^From these sets of 
coefficients we can determine a superset of the possible tapsets for multiples 
p(x) ■ q(x) with T[q(x) ] = T', by considering all possible combinations of the 
nonzero positions and the zero-or-nonzero positions. The polynomial search only 
considers those tapsets with weight less than the bound W. For each resulting 
tapset, the polynomial search conducts tests for redundancy, and then confirm 
that the tapset corresponds to a multiple p(x ) • q( x) with T[q(x)\ = T' . This 
requires less processing than determining if the tapset corresponds to a multiple 
and then conducting the tests for redundancy. 

The greatest restriction on the authors’ polynomial search is the weight of 
the tested multiples. Our fastest algorithm employed fixed arrays containing the 
subsets of b elements from a set of a elements. This method worked best for us. 
As a and b increases, the necessary storage requirements increase significantly, 
placing constraints on a and b. The authors restricted the polynomial search to 
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finding multiples of degree less than 2 r (twice the degree of p(x)) and weight 10 
or less. The tests for redundancy then reduced this set of multiples. Given these 
restrictions, the polynomial search and B-attack search require less than a day 
of processing each. 


4.3 Results 

The polynomial search on the LFSR of TIPSY found 123 multiples within 
the above constraints (maximum degree D = 26 = 2r and maximum weight 
W = 10). Using this basis, the B-attack search found an attack on TIPSY of 
complexity c(2 96 ) (ignoring stuttering): this is the attack described in Exam- 
ple 3. Given the improved attack on TIPSY, the authors considered that t-class 
might also weaker than first claimed. A polynomial search on the LFSR of tl6 
was conducted to find the GD basis B within the aforementioned constraints 
(maximum degree D = 34 = 2r and maximum weight W = 10). This search 
revealed a GD basis of 63 multiples. The B-attack search using this basis found 
only GD-attacks of complexity c(2 160 ) (ignoring stuttering). Such attacks offer 
no improvement over previous GD attacks (such attacks are simple variants of 
the attacks in [2,7], discussed in [8]). A similar analysis of t8 and t32 revealed that 
the additional linear relationships did not provide an attack of lower complexity 
than was already known. 

5 Conclusion 

This paper provides two examples of how multiples can be exploited in attacks 
against various word-oriented ciphers. In the first example, powers of the bit- 
wise connection polynomial reveal a weakness in SSC-II. This supports the well- 
known criteria that stream ciphers (even word-oriented stream ciphers) should 
avoid using connection polynomials for which there exists low-degree, low- weight 
multiples. In the second example, multiples of the connection polynomial over 
GF( 2 W ) are used in a low complexity GD attack against a dummy SOBER-like 
cipher, TIPSY. However, the t-class ciphers appear to resist attacks exploit- 
ing multiples. The authors continue to examine how multiples can be exploited 
against SOBER-like ciphers, and consider how SOBER-like ciphers resist such 
attacks. It is hoped that this will lead to a method of determining the best 
possible GD attack on a given SOBER-like cipher. 
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Abstract. We investigate the following approach to symmetric encryp- 
tion: first encode the message via some keyless transform, and then 
encipher the encoded message, meaning apply a permutation Fk based 
on a shared key K. We provide conditions on the encoding functions 
and the cipher which ensure that the resulting encryption scheme meets 
strong privacy (eg. semantic security) and/or authenticity goals. The en- 
coding can either be implemented in a simple way (eg. prepend a counter 
and append a checksum) or viewed as modeling existing redundancy or 
entropy already present in the messages, whereby encode-then-encipher 
encryption provides a way to exploit structured message spaces to achieve 
compact ciphertexts. 


1 Introduction 

Enciphering vs. encrypting. Many popular books on cryptography describe 
“encryption” as applying a key-indexed permutation Fk to the plaintext M, 
thereby obtaining the ciphertext C = Fk(M). Yet, if the goal of encryption is 
privacy (as it is usually assumed to be) , then our community has long since rec- 
ognized that, being deterministic, this realization of encryption cannot possibly 
achieve the strong security guarantees that one would hope for, namely, semantic 
security under chosen-plaintext attack and beyond [9,7,13]. (For example, if the 
same message is encrypted twice an adversary will be able to detect this.) 

From this point forward, a family of permutations F = {Fk} will be called 
a cipher. Applying one of these functions, Fk, is enciphering (not encrypting). 
Applying F^ 1 is deciphering (not decrypting). In this paper, “good” for an 
enciphering method means approximating (in the usual ways [11]) a family of 
random permutations. On the other hand, “good” for an encryption scheme 
means achieving privacy properties at least as strong as semantic security. As 
indicated above, good enciphering never, by itself, makes for good encryption. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 317-330, 2000. 
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Despite the last statement, there seems to be a widespread belief that enci- 
phering a message is, somehow, almost as good as encrypting it. When messages 
are somehow “structured,” or the message space has “enough entropy,” maybe 
enciphering does the job. Is there some scientific basis for such a belief? 

In this paper we investigate the circumstances under which good encipher- 
ing really does make for good encryption. This leads us to introduce encoding 
schemes as a way to conceptualize what is happening when you encipher struc- 
tured messages. Let us describe what are encoding schemes, and how they relate 
to enciphering. 

Encode-then-encipher encryption. Start with a good cipher that operates 
on messages of any length at all. (In other words, Fk, for a random K, “looks 
like” a random length-preserving permutation.) Now to encrypt M, first “en- 
code” it into some string M*. The encoding might be extremely simple — like 
prepending a counter, or appending some 0-bits, or maybe doing both. The 
encoding might even be the identity function. All that is demanded of an en- 
coding method is that it does not “lose” information: you can “decode” M* to 
recover M, and you can recognize when a string is and is not the encoding of 
any message. Now to encrypt message M under key K, encipher the encoded 
message M* using Fk, yielding ciphertext C = Fk(M*). To decrypt a cipher- 
text C decipher it to find M* = F^ 1 (C), and then decode M* to get either a 
message M or an indication that M* is not the encoding of any message. We 
call this style of encryption “encode-then-encipher encryption.” This is not a 
popular way to encrypt, though it is certainly a very natural paradigm. 

Our results. In this paper we investigate how properties of the encoding 
scheme and the enciphering scheme can give rise to security properties of the 
resulting encryption scheme. 

Suppose first that the encoding scheme adds in a nonce — usually a counter or 
a random value. The nonce can be added into the message in any way at all. All 
one needs is that the “collision probability” — the chance that two encoded mes- 
sages come out the same” — be small. We prove in Theorem 1 that enciphering 
such encodings provides semantic security. 

Next we look at encoding schemes which result in encoded messages which 
have enough redundancy. This means that “most” strings M* will be considered 
“bad.” We prove in Theorem 2 that the resulting encryption scheme will now 
achieve message authenticity. It is as though the sender had sent a MAC along 
with his transmission. Interestingly, this theorem requires that the cipher be a 
strong pseudorandom permutation [11]. We show in Theorem 3 that an ordinary 
pseudorandom permutation won’t do. 

The actual results are quantitative. They show how much privacy and au- 
thenticity is guaranteed as a function of (easily-calculated) numbers associated 
to the encoding scheme, and as a function of the (quantified) security of the 
underlying cipher. 


Justifying some old intuition. At some level it would seem to be folklore 
that enciphering strings which employ nonces or redundancy makes for good 
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encryption. In the security literature one sees many statements to the effect that 
we assume that messages to he encrypted employ adequate redundancy, or we 
avoid replay attacks by including a nonce in the messages we encrypt. Our results 
help formalize what such authors may have had in mind, since the statements 
above become meaningful and true when “encryption” means “enciphering” and 
when the roles of nonces and redundancy are formally defined. 

Is the encoding step “real”? In some applications of encode-then-encipher 
encryption we imagine that the encoding step will be an ostensible part of en- 
crypting: the piece of software which encrypts M will encode it first, and then 
encipher the encoded message. For example, the encryption engine might take 
in a message M, prepend a counter, append a checksum, and encipher the re- 
sulting string. But encode-then-encipher encryption is actually more interesting 
when the encoding and decoding operations do not occur within the customary 
boundary of the encryption engine. For example, the encryption software may be 
presented with an already- formatted IP packet M*. Its payload is the message M 
one should get on decoding M*, but the encryption software itself knows nothing 
about where is the payload or how to extract it. Still, the encoding and decod- 
ing processes really did occur, albeit within a different piece of code. Finally, the 
encoding step may exist purely as a conceptualization. For example, if messages 
are supposed to be English-language sentences then the encoding step can be 
regarded as the the identity function on the space of proper English-language 
sentences, while the decoding function takes a string M* and returns M = M* if 
it is English, or else an indication that this is not an English sentence. Probably 
this decoding operation can only performed by a human! Nonetheless, even in 
this case the language of encodings makes sense. 

In general, the encoding of messages should be seen as a model for how the 
messages that we are enciphering might arise. This model is a more useful and 
general approach than trying to equip an unknown message space with a distribu- 
tion. For example, a distribution on messages can not handle ideas like inserting 
a counter into the message, and it is quite artificial to try to equip English- 
language utterances with some distribution. The encoding/decoding model lets 
us discuss, in a natural and simple way, all the relevant properties about how 
messages might look. 

Why encode-then-encipher? Encode-then-encipher encryption can be used 
to provide short ciphertexts with a high degree of independence on message- 
formatting conventions. As such, it can be used to provide a convenient migration 
path for legacy protocols. Let us explain. 

In various application, particularly in networking, a “packet format” will have 
been defined, where this packet format includes redundancy and/or nonces, but 
has no fields for cryptographic purposes (eg., fields for an IV or MAC). Now 
suppose a need arises to add in privacy or authenticity features. At the same 
time, there will often be a real-world constraint not to grow or re-define the 
packet format. 

Using encode-then-encipher you probably do not have to. If packets are 
known to repeat rarely or not at all (eg., packets always contain a sequence 
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number) then semantic security is automatically guaranteed just by applying 
a good cipher. And if packet formats already include redundancy (which they 
typically do if for no other reason than to simplify parsing) then there may be no 
need to add in a separate MAC; once again, good enciphering (this time, with a 
strong pseudorandom permutation) is enough. And because it is irrelevant how 
and where the nonce and redundancy appeared in the packet, privacy and au- 
thenticity will be retained, with no protocols changes at all, if packet formats 
should subsequently change in some details. 

The result is that encode-then-encipher encryption would leave packet sizes 
alone (our ciphers are understood to be length-preserving), and they would leave 
packets looking identical (after deciphering) to the way they looked before. This 
allows for modular software changes with minimal code disruption. The code 
which enciphers as a way to encrypt doesn’t know (or care) where is the sequence 
number, say, where other fields are, or what values these fields can take. Such 
indifference makes for robust and simple software, and thus an easier migration 
path for adding in security features. 

Constructing variable-input-length ciphers. To encrypt messages using 
the encode-then-encipher approach you need to encipher strings which may be 
long or short, and whose lengths may vary from one enciphering to the next. The 
cipher should look like a random length-preserving permutation n : AT —> AT. 
This may sound just like a block cipher, but it is actually quite different, because 
the domain includes strings of different lengths. One construction is given in [5], 
and others are possible, building on work like [11] and [12]. 

A notion of authenticity for encryption schemes. We note a final con- 
tribution of this paper, which is the notion of authenticity defined in Section 2. 
The usual way that message authenticity has been defined (eg., [2]) assumes that 
each message M is accompanied by a tag (the message authentication code) r. 
The adversary wants to produce a hitherto unseen message M' and a valid tag r' 
for it. But this setting does not apply to us, where the messages being authenti- 
cated are never made visible. In the new setting the adversary’s goal is to get the 
receiver to accept as authentic a string C — with a possibly unknown “meaning” 
M — where the adversary has not already witnessed C. This necessitates a new 
notion (or measure) of security for a symmetric encryption scheme. 

While several definitions of privacy for symmetric encryption schemes are 
given in [1], here we are suggesting a notion of authenticity for an encryption 
scheme. Namely, consider a symmetric encryption scheme in which the decryp- 
tion algorithm is allowed to reject ciphertexts to indicate that they are unau- 
thentic. We take the setting of [1] in which the adversary gets to see (via an 
oracle) ciphertexts of messages of her choice encrypted under a key K. We then 
say that the adversary wins if she can produce a valid ciphertext (meaning one 
which the decryption function under K does not reject) which was never an 
output of the encryption oracle. 

Early (submitted) versions of this paper date to December 1998. Since then, 
definitions of authenticity for symmetric encryption schemes have appeared else- 
where [10] . We refer the reader to [4] for a comprehensive treatment of different 
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notions of authenticity for symmetric encryption schemes and their relations to 
the notions of privacy. 

2 Definitions 

We provide definitions for PRFs, PRPs and SPRPs over arbitrary message 
spaces, and definitions of privacy and authenticity for symmetric encryption 
schemes. 

History and comparisons. The basic definition of a PRF (pseudorandom 
function), as given by [8], sets the domain, range and keyspace to be the set 
of strings of length equal to the security parameter, and then defines security 
asymptotically. We adopt concrete versions of these definitions, as per [2], in 
order to model block-cipher based construction, and also to allow for a domain 
(which we call the message space) containing strings of different lengths. Our 
notion of a PRP (pseudorandom permutation) follows [2,3] and differs from 
that of [11] in that we measure distinguishability versus a random permutation 
rather than a random function, which is important when concrete security is 
considered. The notion of an SPRP (strong pseudorandom permutation) is that 
of [11] concretized in the style of [2] and extended with regard to domains. The 
definition of privacy for symmetric encryption schemes is from [1], 

Notation and conventions. A message space M is a subset of {0, 1}* for 
which x G M. implies that x' G M. for all x' of the same length of x, and for 
which there exists an efficient (say linear time) algorithm to decide membership. 
A ciphertext space C is a subset of {0, 1}*. A key space 1C is a set together with a 
probability measure on that set. Writing K <— K. means to choose K at random 
according to this probability measure. The notation [A] denotes the length of 
X if X is a string and the number of elements in X if X is a set. 

Ciphers. Let 1C, M. and C be a key space, message space, and ciphertext space. A 
family of functions is a map F: /CxAf— IfAe/C then we let Fjc(') = Fk(-) 
and call this an instance of F. We let / <— F denote the operation of picking a 
function from F at random. (This is shorthand for K <— 1C; f <— Fk-) We assume 
that \F k (M)\ = £{\M\) depends only on \M\ and call t the length function of 
the family. A cipher is a family of functions F: 1C x Ai — > C in which each Fk : 
M — y C is one-to-one and onto. In this case, f^ 1 denotes the inverse of F K {-)- 
A cipher is length-preserving if Fk{M) = \M\ for all K G 1C and Mg AT 
For simplicity, all ciphers in this paper are assumed to be length-preserving. A 
block-cipher is a cipher with domain and range {0, 1}". The number n is called 
the block length. 

We let Rand(Af ,£) denote the family of all functions /: At —> {0, 1}* that 
satisfy |/(M)| = £(|M|) for all M G AT A random function / from Rand (AT f) 
is determined as follows: for each M G AT f(M) is a random string of length 
£{\M\). Also let Perm(Af) denote the cipher consisting of all length-preserving, 
one-to-one and onto functions on AT A random function 7r from Perm (A!) is 
determined as follows: for each number i such that M contains strings of length i, 
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let 7 Ti be a random permutation on {0,1}*. Then define 7 r(M) = tt, ( M ) , where 
i = \M\. 

PRFs, PRPs and SPRPs. A distinguisher is a (possibly probabilistic) algo- 
rithm A which has access to an oracle. If F: /C x .Ad — ► C is a function family 
with length function £ we let 

Adv prf (A) = Pr[AT *- K : A Fk <•> = 1] - Pr[/ <- Rand(Af ,£) : A f U = 1] 
denote the advantage of A in distinguishing F from a random function. We let 
Adv prp (A) = Pr [K «- K : A Fk « = 1] - Pr[7r «- Perm(7W) : = l] 

denote the advantage of A in distinguishing F from a random permutation. 
Define 


Adv^ rf (f, q, p) = max{Adv^ rf (A)} 

Adv^ rp (t, q, p) = max{Adv 1 p P (A)} 

where the maximum is taken over all adversaries having time-complexity at 
most t and asking at most q oracle queries, these queries totaling at most p 
bits. (The time-complexity, here and hereafter, refers to the execution time of 
the experiment underlying the definition of the advantage, plus the size of the 
description of the adversary.) 

To define SPRPs we give the distinguisher not only an oracle for the function, 
but also one for its inverse. Let F: /C x Af — ► C be a PRP with length function £. 
Then we let 

Adv}P rp (A) = 

Pr [K ^ K : A Fk ^’ f ^^ = 1] - Pr[7r <- Perm(Al) : = 1] 

denote the advantage of A in distinguishing F from a random permutation. 
Define 

Adv^ rp (t, q, ijl) = max{Adv^ rp (A)} 

where the maximum is taken over all adversaries having time-complexity at 
most t and asking at most q oracle queries, these queries totaling at most /i bits. 

Throughout, if the distinguisher inquires as to the value of oracle / at a 
point M £ M. then the oracle responds with the distinguished point _L. Since 
we assume that there is a (simple) algorithm to decide membership in M. there 
is in fact no point for the adversary to make such inquiries. 

Encapsulation schemes. Fix a key space /C, a message space JA , and a ci- 
phertext space C. An encapsulation scheme S£ = (/C, £, V) is a triple of algo- 
rithms. The probabilistic key-generation algorithm 1C produces a key K £ /C; 
we write K <— K. The encryption algorithm £ can be either probabilistic or 
stateful. It takes a key K e 1C and a message M € M and returns ciphertext 
C = £k{M, r) e CU{_L}. If probabilistic, r e {0, 1}* is its coins tosses, which are 
taken anew upon each invocation. If stateful, r is the internal state, which the 
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encryption algorithm updates upon each invocation and which is securely main- 
tained across invocations. (The state is typically a counter, which is incremented 
by some message-dependent amount.) The value T is returned if M ^ M or (if 
this is a stateful encryption scheme) the state r indicates that the message M 
can not be sent (when, for example, too many messages have already been sent) . 
Algorithm V takes K e 1C and C e {0, 1}* and computes M = V K (C) where M 
is either a string in M. or the distinguished symbol _L. A return value of T is used 
to indicate that C is regarded as unauthentic. We call C valid if T>k(C) € M. 
and we call C invalid if V K {C) =S|J|. We also permit applying £ K to (T,r), 
which results in a return value of _L. Likewise, applying Vk to T is permitted 
and this gives a return value of _L. We require that if C = £k(M, r) and C'/l 
then V K (C) = M. 

When we think of the goal of S£ as privacy, or a combination of privacy and 
message authenticity, we typically call it an encryption scheme. When we think 
of the goal of S£ as authenticating messages then we call it an authentication 
scheme. But we emphasize that there is no syntactic distinction between an 
encryption scheme and an authentication scheme under this formalization: they 
are both encapsulation schemes. 

Privacy. Several formulations for the privacy of a symmetric encryption scheme 
under chosen-plaintext attack were provided in [1] and compared in terms of 
concrete security. We will use one of these notions, namely “real-or-random” 
security. The idea is that an adversary cannot distinguish the encryption of text 
from the encryption of an equal-length string of garbage. For the formalization, 
let S£ = (/C, £, V) be an encryption scheme and let A be an adversary with an 
encryption oracle. If the encryption scheme is probabilistic then fresh random 
choices are made for each query. If the encryption scheme is stateful then the 
state is properly initialized and then adjusted with each query. Define 

Ad V P" v (A) = Pr [aT^/C: = l] -Pr A £k ( $M ) = l] . 

In the first game, the oracle, given a message, returns an encryption of it under 
key K-, in the second game the oracle, given a message, ignores it except to record 
its length n, and then returns an encryption of a random message of length n. 
The advantage of A is a measure of the adversary’s ability to tell these two 
worlds apart. We let 

Ad v 5£ V (t, q, p) = max{Adv^ IV (A)} 

where the maximum is over all adversaries which have time-complexity at most 
t and ask at most q oracle queries, where these queries total at most p bits. 
Authenticity. Consider parties sharing a key K and sending messages using 
an encapsulation scheme S£ = {1C, £. D). We are interested in authenticity: 
the receiver wants to be confident that a received ciphertext (and underlying 
message) really did originate with the sender. To formalize this an adversary 
will be given a way to generate authenticated messages of her choice: Mi i-> 
Ci, M2 1— ► C2, ... , M q 1— ► C q . She will “win” if she computes a new string C 
(that is, C {Ci, .... C' q }) which would be deemed authentic by the receiver. 
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Authenticity in the context of an encapsulation scheme is a more general con- 
cept than that of a message authentication code (MAC). A MAC makes explicit 
a particular mechanism, namely the attachment of a tag to the transmission. 
(The tag, computed using the key, is created by the sender and checked by the 
receiver.) An encapsulation scheme may use a MAC, or may not, and consid- 
eration of authenticity for such a scheme cannot make assumptions about the 
presence of any type of mechanism. But there is a deeper difference between a 
MAC and a general authentication scheme. In formalizing the security of a MAC 
the adversary makes a number of queries to a MAC-generation oracle, with each 
query mapping the message M* to its tag t t . After that the adversary has to 
come up with a new message M and a tag t such that the receiver will deem 
(M, t) authentic. In particular, the adversary must “know” the message M that 
is being forged, insofar as the adversary outputs it along with t. In contrast, an 
adversary attacking an authentication scheme in the general sense we are defin- 
ing wins even if she does not know what is the message M which is being forged. 
All that is required is that there is such a message underlying C — that is, the 
receiver will recover something in the message space At (and not an indication 
that C is bogus). 

Formally, let S£ = (/C, £, V) be an authentication scheme and let A be an 
adversary who is given oracle access to £. After interacting with that oracle the 
adversary outputs a string C. We say C is new if C was not the response to any 
earlier oracle query asked by A. Adversary A is said to be successful if C is new 
and valid, and we measure the probability of this: 

Adv^ th (A) = Pr[ K <- K ; C <- A e «U : C is new and V K (C) ± _L ] . 
The quality of S£ in authenticating messages is measured by the function 
Ad ■v% u £ h {t,q,ii) = max{Adv“ th (A)} 

where the maximum is over all adversaries who have time-complexity at most t 
and make at most q — 1 oracle calls, these totaling a most ji — \C\ bits, where 
C is the length of A’s output. For simplicity, we assume that an adversary A 
attacking the authenticity of S£ will only output a string which is new. 

The above notion is called “integrity of ciphertexts” in [4] who provide a 
comprehensive picture of how it relates to other notions of privacy and au- 
thenticity for encapsulation schemes. In particular they show that integrity of 
ciphertexts plus privacy against chosen-plaintext attack imply privacy under 
chosen-ciphertext attack. 

3 Encoding Schemes 

Syntax. Fix message spaces At, At*. An encoding scheme (“on At” , or “from 
At to At*”) is a pair of algorithms Encode = (Encode, Decode) as we now 
describe. 

Algorithm Encode can be either probabilistic or stateful, while Decode is 
neither. First assume that Encode is probabilistic (not stateful). Then each time 
Encode is called on an input M e At the algorithm flips some coins, r, and 
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returns a string M* = Encode(M,r) e M*. We assume that for any string 
Me M. and any coins r, we have that \Encode(M,r)\ = for some 

function £, the “length function” of the encoding scheme. 

Algorithm Decode takes as input M* £ {0, 1}*. It returns either a binary 
string MgMor the distinguished symbol _L. If Decode(M*) is a binary string 
we say that M* is valid , while we say that M* is invalid if Decode(M*) = _L. We 
demand that for any M 6 M. and any r, we have that Decode(Encode(M, r)) = 
M. 

We allow that Encode and Decode be presented with any string at all, even 
ones outside of M and A!*. If you try to encode a string M # M then the result 
is the distinguished value _L. If you try to decode a string M* # M* then the 
result is the distinguished value _L. We further establish the convention that you 
can encode or decode _L, which once again returns _L. 

For simplicity in theorem statements we assume that Encode and Decode 
are efficiently computable, say in linear time. 

Rare-collision encodings. Let Encode = (Encode, Decode) be an encoding 
scheme and let £(n) be its length function. Let e: N — > R be a function. We say 
that Encode is e-colliding if for and any number q and any (even computation- 
ally unbounded) adversary A who asks q queries, the probability that some two 
of these queries receive the same valid response is at most e(q). 

Pr[(MT, Responses A Encode <0 : 3i<j s.t. M* ± _L, 

M* ^ _L, and M* = M*] < e(q) . 

We shall say that (M*, . . . M *) “collide” if some pair of these strings are the same 
and are different from _L. The reader may prefer to think of Mi = M 2 = • • • = M q 
since typically this would be the adversary’s best strategy when trying to produce 
a collision (as M ^ M' implies that their encodings, if valid, have to be different). 

Example 1. Encoding scheme Prepend-128-Random-Bits works as follows. The 
message space is M. = {0, 1}*. Function Encode takes an input M and outputs 
r || M, where r is a sequence of 128 random bits. Function Decode takes an input 
M* and behaves as follows. If M* is at least 128 bits, then Decode outputs all 
but the first 128 bits of M*. If M* is less than 128 bits then Decode(M*) outputs 
_L. Then Prepend-128-Random-Bits is C(q, 2 128 )-colliding, where C(q, m) denotes 
the probability of at least one collision in the experiment of throwing q balls, 
independently and at random, into m bins. I 


Collision-free encodings. For algorithm Encode to be stateful means that 
it maintains state across invocations. The initial value of that state is some fixed 
constant, ro . Typically there will be a limit, N, on the number of times that 
Encode may be used. After that number of invocations Encode will return T even 
when the inquiry is in Ml. We require that for all messages M and all internal 
states r, if Encode(M,r) returns a binary string M* then Decode(M*) = M. 
We emphasize that decoding is stateless. 
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Stateful encoding schemes are of interest because with them we can make 
an encoding scheme collision free, meaning O-colliding, in the language above. 
Note that getting two _L values does not count as a collision. Here is an example. 

Example 2. Encoding scheme Prepend-64-Bit-Counter works as follows. The mes- 
sage space is M. = {0, 1}*. A counter ctr is initialized to 0. The i-tli message is 
encoded as follows. If i > 2 64 then the encoding is _L. Otherwise the encoding 
is M* = (i) || M, where (i) the number i written as a 64-bit binary string. 
Function Decode takes an input M* and behaves as follows. If \M*\ < 64 then 
Decode returns _L. Otherwise it returns M* after having expunged the first 64- 
bits. Clearly Prepend-64-Bit-Counter is collision free: the counter guarantees that 
no two encodings can collide. I 


Sparse encodings. Let Encode = (Encode, Decode) be an encoding scheme 
and let S be a real number. We say that encoding scheme Encode is 5-dense if 
for all n e N, 


Pr[M* <— {0, 1}" : Decode(M*) e {0, 1}* ] < 6 . 

That is, for every message length, at most a 5-fraction of all strings of that length 
are valid (they decode to strings in M). The rest are invalid encodings (they 
decode to J_). 

Example 3. The encoding scheme Prepend-32-Zeros works as follows. Let M. = 
{0, 1}*. Define Encode(M) = 0 32 || M. Define Decode(M*) to be M* after 
stripping away its first 32 bits, assuming that M* has at least 32 bits, and set 
Decode(M*) = J_ otherwise. Then Prepend-32-Zeros is 2 _32 -dense: a string is 
valid (it starts with 32 zeros) with probability at most 2 -32 . Indeed the proba- 
bility that a random string M* is valid is exactly 2 -32 if the length of M* is at 
least 32 bits, while the probability is 0 if the length of M* is less than 32 bits. I 


Example 4- Let the message space M. be odd-parity-adjusted ASCII strings of 
length at least 50 bytes. This means that a message M g M is a sequence of 
bytes M = b± \\ • • • || b n , for n > 50, where each bi is a byte having its low 7 
bits arbitrary and its high bit whatever is necessary so that the number of 1-bits 
in bi will be odd. Encoding scheme Odd-Parity is defined as follows. Function 
Encode is the identity function. Function Decode checks that the bit length of 
its input is divisible by 8, that the input is at least 50 bytes, and that each byte 
has odd parity. If these conditions are satisfied then Decode returns its input. 
Otherwise it returns _L. Then Odd-Parity is 2 _S0 -dense: a random string is valid 
with probability at most 2 -50 . Indeed the probability that a random n-byte 
string is valid is 2~ n if n > 50, and 0 if n < 50 or if the input is not a byte string 
at all. I 
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Fig. 1. Scheme F o Encode: encrypting (left-hand side) and decrypting (right- 
hand side) using the encode-then-encipher paradigm. The plaintext is M, the 
ciphertext is C, the cipher is F = {Fk}, and the encoding scheme is Encode = 
(Encode, Decode ) . 

4 Enciphering Encoded Messages 

Let Encode = (Encode, Decode) be an encoding scheme from M. to M* and 
let F = {Fk : M.* — * Af*} be a cipher with key space 1C. Then we define the 
following encapsulation scheme F o Encode = (1C,£,V): 

(1) K chooses a random key K <— JC and outputs it. 

(2) £k(M) sets M* <— Encode(M), returns T if M* = _L, and otherwise 
computes C •*— Fk(M*) and returns that. Algorithm £ is stateful if and 
only if Encode is. If Encode is stateful then the initial state for £ is the 
initial state mandated by Encode, and £ maintains the state needed by the 
encoding scheme. 

(3) T>k(C) returns T if C £ M*, and otherwise computes M* <— Ff^(C), sets 
M <— Decode(M*), and returns M. 

For a pictorial representation, see Figure 3. 

Privacy from Rare/Collision-Free Encodings. We show that encryption 
scheme F o Encode is private if encoding scheme Encode has rare or no collisions 
and F is a secure cipher, in the sense of being a good PRP. The following theorem 
makes this formal and quantitative. 

Theorem 1. Let Encode = (Encode, Decode) be an encoding scheme from M. 
to M* and let F = {Fk : M* — ► .Ad*} be a cipher with key space 1C. Suppose 
that Encode is e-colliding. Then F o Encode = (1C, £, V) has security 

Adv FoEncode(*’ <L A 4 ) < Adv^ ( if , q , p ) + e ( q ) 
where t' = t + O(p). 
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Proof. Let B be an adversary attacking the privacy of F o Encode. Let t be 
its running time, q the number of queries it makes, and p the length of all its 
queries put together, plus the length of B's output. Our goal is to upper bound 
AdVp“g ncode (S). To this end we introduce a couple of more algorithms and some 
associated probabilities. 

Algorithm D is a distinguisher for F. It is given an oracle for a permutation 
f € Perm(Af*). It runs B. When B makes an oracle query M, distinguisher D 
computes M* <— Encode(M) and C <— It returns C to B as the answer 

to the query. When B terminates, D outputs whatever B outputs. 

Algorithm A is a collision finding adversary for Encode. It is given oracle Encode. 
It picks a permutation / from Perm (J\A * ) at random. (Or simulates such a 
permutation. The difference is technically immaterial since the running time of 
A is not restricted.) It then runs B. When B makes an oracle query M, algorithm 
A computes M* <— Encode(M) and C <— f(M*). It returns C to B as the answer 
to the query. When B terminates, so does A. 

We now define the following probabilities: 
pi = Pr [K «- K : B £k « = 1] 
p 2 = Pr [K «- K : B £k ^'"> = 1] 
p 3 = Pr [K <- K : D Fk( ' ) = 1] 
p 4 = Pr[7T <— Perm(Af*) : = 1] 

p 5 = Pr[(M* , . . . , M*) <— Responses A Encode ( ') : 3 i < j s.t. M* = M* ^ T] . 

Note that Adv I / ’"' Encode (f?) = pi — P 2 - To upper bound it we use the following 
claims. First, p\ = p%. Second, p -2 > pi — ps- The proofs of these claims are 
omitted here for lack of space but can be found in the full version of this paper 
[6]. Given these claims we have 

A dv /’" Encode (^) =Pl~P2 <P3~(P4~P5) = (P3~P4,) + P5 < Adv^D) + e(q) . 
This concludes the proof of Theorem 1. I 

Authenticity from Sparse Encodings. We show that F o Encode is an au- 
thenticated encryption scheme if encoding Encode adds adequate redundancy 
and F is a strong PRP. The following theorem makes this formal and quan- 
titative. We remark that this result requires that the PRP be strong, which 
the previous result did not, and we subsequently show this extra requirement is 
necessary. 

Theorem 2. Let Encode = ( Encode , Decode ) be an encoding scheme from M. 
to M* and let F = {Fk : M* — > M . *} be a cipher with key space K. Suppose that 
Encode is 5-dense and that q < Then F o Encode = (K,,£,T>) has security 

Adv^ u 0 t E ncode (t, q, p) < Ad v^ >rp (t / , q, 2p) + 26 
where t’ = t + O(p). 
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Proof. Let B be an adversary attacking the authenticity of F o Encode. Let t 
be its running time, q — 1 the number of queries it makes, and /i the total 
length of all its queries put together, and its final output. Our goal is to upper 
bound Ad v pq g ncode (B). To this end we introduce an algorithm D and some 
probabilities. 

Algorithm D is a distinguisher for F. It is given two oracles: / and / -1 , where 
/ € Perm (A!*) is a permutation. It runs B. When B makes an oracle query 
M, distinguisher D computes M* <— Encode(M) and C <— f(M*). It returns C 
to B as the answer to the query. When B terminates, it outputs a ciphertext C, 
which is supposed to its forgery. Algorithm D outputs 0 if C ^ AT*. Otherwise 
D computes M* <— / -1 (C) (this is the one and only time it uses its / -1 oracle). 
Algorithm D then computes M <— Decode(M*). If M = T then D outputs 0, 
else D outputs 1. 

We now define the following probabilities: 

pi = Pr [K <- 1C ; C <- B £k U : C is new and V K (C) ± _L] 
p 2 = Pr [K <- 1C : = 

P 3 = Pr[7T <- Perm(Al*) : D 7r( ')>’ r_1 (-) = 1] 

Note that Adv5^ code (Jf = pi. To upper bound it we use the following claims. 
First, pi = p 2 - Second, p 3 < 25. The proofs of these claims are omitted here for 
lack of space but can be found in the full version of this paper [6]. Given these 
claims we have 

Adv^ ncode (B) =pi=p 2 = (p 2 - p 3 ) +p 3 < AdvP rp (D) + 28 . 

This concludes the proof of Theorem 2. I 

We now discuss the necessity of the extra requirement on the PRP above, namely 
that it be strong. The following indicates that without this requirement, the au- 
thenticity does not hold. Using the bounds found in the proof, the informal 
theorem statement below is easily adapted to give a more precise (but less un- 
derstandable) quantitative assertion. A proof of the following can be found in 
[ 61 - 

Theorem 3. If there exists a secure PRP then there exists a secure PRP F 
(that is not a strong-PRP) and a 5-dense encoding scheme Encode for which the 
scheme F o Encode does not achieve authenticity. I 
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Abstract. We generalize and improve the security and efficiency of the 
verifiable encryption scheme of Asokan et al., such that it can rely on 
more general assumptions, and can be proven secure without assuming 
random oracles. We extend our basic protocol to a new primitive called 
verifiable group encryption. We show how our protocols can be applied 
to construct group signatures, identity escrow, and signature sharing 
schemes from a wide range of signature, identification, and encryption 
schemes already in use. In particular, we achieve perfect separability for 
all these applications, i.e., all participants can choose their signature and 
encryption schemes and the keys thereof independent of each other, even 
without having these applications in mind. 

1 Introduction 

A verifiable encryption scheme is in its basic form a two-party protocol between 
a prover P and a verifier V. Their common inputs are a public encryption key E, 
a public value x, and a binary relation 7 Z. As a result of the protocol, V either 
rejects or obtains the encryption of some value w under E such that (x, w) £ TZ 
holds. For instance, 1Z could be defined such that (x, vj) € 1Z if and only if w is a 
signature on message x w.r.t. to some fixed public key. In other words, P claims 
to have given V the encryption of a valid signature on x. 

The protocol should ensure that V accepts an encryption of an invalid w with 
only negligible probability. Moreover, V should learn nothing except the encryp- 
tion of w and the fact that w is valid w.r.t. x. In particular, if the encryption 
scheme is semantically secure, the protocol should be zero-knowledge. 

* BRICS: Basic Research in Computer Science, Center of the Danish National Research 
Foundation 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 331-345, 2000. 
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The encryption key E can belong to P, but typically belongs to a third party 
in which case the third party should not need to take part in the protocol, in 
other words, P does not need to know the secret key corresponding to E. 

Verifiable encryption schemes are employed in many cryptographic protocols 
(although the term “verifiable encryption” is not always used). Examples are 
digital payment systems with revocable anonymity (e.g., [7,21]), verifiable sig- 
nature sharing (e.g., [22]), (publicly) verifiable secret sharing (e.g., [32]), escrow 
schemes [30,34], or fair exchange of signatures [1,2,4]. However, only the schemes 
presented in [2,26,33] do not apply ad-hoc constructions using a specific encryp- 
tion scheme that suits the particular application; in fact, our protocols can be 
seen as a generalization of the protocols employed in [2,26,33]. 

The concept of verifiable encryption was introduced in [32] in the context of 
publicly verifiable secret sharing schemes, and in a more general form in [2] , for 
the purpose of fair exchange of signatures. Micali [27] also proposes the use of 
provable encryption of data for third parties to solve several variants of the fair 
exchange problem. 

In this paper, we first show how to modify and generalize the verifiable en- 
cryption scheme from [2] to achieve the following: 

— The relation 1Z can be any relation possessing a three-move proof of knowl- 
edge which is an Arthur-Merlin game, i.e., as the second message, the ver- 
ifier sends a random challenge. This proof should be honest-verifier zero- 
knowledge, and a cheating prover should be unable to answer more than one 
challenge correctly. 

— It can be based on any public-key encryption scheme. 

— The verifier needs to store only 0(log k) encryptions of the underlying en- 
cryption scheme. 

— In its interactive form, our scheme can be proved secure without relying on 
random oracles. 

In comparison, the scheme from [2] only works for relations 1Z containing 
pairs of form (x, where / is a one-way group homomorphism and the 

verifier is required store k encryptions of the underlying encryption scheme. 
Finally, the scheme from [2] is only secure in the random oracle model, even in 
its interactive form — in other words, it relies on random oracles for more than 
just standard removal of interaction a, la Fiat-Shamir 1 . 

Our results are especially suited for a situation where a public-key infrastruc- 
ture already exists, i.e., users already have (certified) public keys for encryption, 
signature, or identification schemes. However, we assume that these keys are not 
necessarily generated with other and more advanced primitives in mind, such as 
group signatures, identity escrow, fair contract signing, or blind signatures with 
revocable anonymity. We believe this is a very realistic scenario. 

1 We are referring here to the proceedings version of [2] . Having been informed of our 
results, the authors of [2] later modified their protocols such that they do not rely 
on random oracles. These protocols appear in the journal version of their paper [3]. 
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We provide examples of how our verifiable encryption schemes can be applied 
in this scenario to build such advanced primitives, where their security can be 
proved based only on security of the existing infrastructure: No special assump- 
tions are needed on the existing encryption scheme. The signature scheme only 
needs to satisfy that one can prove knowledge of a signature on a given mes- 
sage by a so-called ^-protocol. All standard signature schemes (RSA, El-Gamal, 
DSS) satisfy this. Any identification scheme that is a three-move honest-verifier 
proof of knowledge is also suitable. 

All our solutions for these applications possess perfect separability, i.e., all 
participants can choose (or renew) their keys independently of each other or even 
use different kinds of encryption and signature schemes which is a requirement 
met for the first time for these applications. The term separability originates 
from [26] and was diversified in [8]. There exist weaker forms of separability, 
i.e., partial separability allows only a subset of the participants to choose their 
keys independently whereas weak separability requires that all participants use 
common system parameters, e.g., they must all use DSS and choose their keys 
from the same algebraic group (cf. [8]). Clearly, both these forms of separability 
are not sufficient if one accepts no special purpose key-setup procedure. 

Furthermore, we introduce a new primitive called verifiable group encryption 
involving n > 1 third parties (called proxies ) where only certain subsets of them 
can jointly decrypt the secret. This new primitive is an extension of our verifiable 

encryption scheme: we are given n public encryption keys E\ , E n and the 

prover and the verifier agree on any monotone access structure over { 1 , . . . , n}. 
Then, if V accepts, he is convinced that he has obtained an encryption of a 
valid secret which a subset of the proxies can decrypt if and only if that subset 
is contained in the access-structure. For example, one can decide that for some 
t < n, any subset of at least t players can decrypt, whereas less than t players 
cannot. This notion of group encryption should not be confused with the notion 
of threshold encryption [17]. In the latter case, a number of parties publish a 
single public key and the access structure is determined by these parties during 
the setup of the system. In contrast, a group encryption scheme allows to choose 
a (possibly different) access structure each time when (verifiably) encrypting a 
message. Another distinguishing feature is that a group encryption enables the 
proxies to choose their encryption keys independently of each other and allows 
them even to use different encryption schemes (perfect separability). 

We also show how to get verifiable signature sharing from verifiable group 
encryption, yielding more general solutions for this problem than what were 
previously known and thereby solve an open problem raised in [10] . 

We believe that our verifiable encryption primitives facilitate the design of 
provably secure protocols for many applications such that their setup remains 
minimal and perfectly separable, i.e., protocols that are tailored for a public 
key infrastructure as described above. Previously, one had to resort to general 
zero-knowledge techniques for such solutions and thus accept a prohibitive loss 
of efficiency. Also, much more efficient schemes can sometimes be obtained by 
ad-hoc constructions, but this requires relying on particular properties of the 
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encryption and/or signature scheme involved, and sometimes means that no 
proofs of security can be given, and always means that separability cannot be 
provided. For a comparison to some concrete previous schemes of this type, 
please refer to Section 5.2. 

2 Preliminaries 

2.1 17-Protocols 

A 17-protocol [13,15] for a boolean relation TZ C {0, 1}* x {0, 1}* is a three-move 
honest- verifier zero-knowledge proof of knowledge for TZ. That is, a string x is the 
common input to a prover P and a verifier V, and P demonstrates knowledge of 
a w such that (a:, w) € TZ. We call w a witness for x, and the set of x’s that have 
witnesses is called L-r. Of course, carrying out a 17-protocol for some relation 
R makes sense only if it is a hard relation for (at least) one of the two involved 
parties. A 17-protocol can be defined by three (probabilistic) procedures o t , a s , 
and a v as follows. On input x and w, the prover uses a t to compute a so-called 
commitment t and some side-information r. The prover sends the verifier t as 
the first message. Then, the verifier sends back a random bit string c, called a 
challenge. The prover uses x, w, r, and c as input to a s to compute the response 
s which he sends the verifier. Finally, a v is a predicate taking x, t, c, and s 
as input that V uses to check whether s is a valid response, i.e., V accepts if 
a v (x,t,c,s) = 1 holds. A triple ( t,c,s ) such that a v (x,t,c,s) = 1 is called an 
accepting triple for x. 

We require that if P and V follow the protocol, V always accepts, whereas 
a cheating prover can answer at most one challenge correctly per commitment. 
More precisely, there is some polynomial-time procedure p that, given two ac- 
cepting triples (f,ci,si) and (t. c- 2 - s?) with c\ ^ C 2 , computes w such that 
{x,w)eTZ. 

We also require that a 17-protocol is honest verifier perfect zero-knowledge in 
the particular sense that there is a simulator which, given input x and challenge 
c, computes a t and an s such that ( t,c,s ) is accepting w.r.t. x, and has a 
distribution equal to (or computationally indistinguishable from) that of real 
conversations with the honest verifier where c occurs as challenge. 

Cramer et al. [15] show that different 17-protocols can be composed to obtain 
17-protocols for statements such as “I know a witness to x\ £ Lni or a witness 
to X 2 £ L-jz” while retaining efficiency. Note that the zero-knowledge property 
in particular implies that V does not learn whether P knows a witness to Xi or 
to X 2 - More generally, we have the following lemma. 

Lemma 1 (Composition of 17-protocols [15]). Given £ -protocols for rela- 
tions TZ\ , TZ n , then one can construct £ -protocols for the relations 

— ^-(”) = {((*i) • • • ,#«), w ) | 3* : (xi, w) £ TZi] and 

- TZ r = {((an,... , x n ), (wi, . . . ,w„)) | 3S£T : V* € 5 : {x l ,w l )£% i }, 
where r is a monotone access structure over {1, . . . ,n}. 
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Probably, the best-known special case of relations 1Z with ^-protocols are public- 
key identification schemes such as the ones by Feige, Fiat, and Shamir [19], by 
Guillou and Quisquater [25], or by Schnorr [31]. Furthermore, many proofs of 
knowledge of or about discrete logarithms found in literature are ^-protocols. 
A protocol that is of interest in the context of this paper is a proof of knowledge 
of a pre-image under a group homomorphism. It turns out that this protocol 
is very useful in practice because demonstrating (in zero-knowledge) that one 
knows a signature on given message reduces to demonstrating that one knows 
a pre-image under a group homomorphism. This is true for any of the standard 
signature schemes in use today (RSA, DSA, etc.) (see [2,22]). 


2.2 Probabilistic Encryption Schemes 

A triple ( G , E, D) of probabilistic polynomial-time algorithms is a polynomially 
secure public key encryption system (see for instance [24,28]) if we have the fol- 
lowing: 

1. For every output ( E,D ) £ G(l k ) and all messages m £ {0, l} fc we have 
D(E(m)) = m. 

2. For all probabilistic algorithms T and M, all polynomials p(-), and all suffi- 
ciently large k we have 


Pr[T(l k ,E, mo, mi, a) = m : ( E,D ) := G(l fc ); (mo, mi) := M(E,l k ); 


m £r {mo, mi}; a := 


E(m)\ < l + 


p{k) ‘ 


For convenience, E denotes the public key as well as the actual encryption al- 
gorithm, and D the secret key as well as the decryption algorithm. Furthermore, 
we will write sometimes E(r, m) rather than E(m), where r contains all coinflips 
to be made for encryption; hence E will in these cases denote a “deterministic” 
algorithm. 


3 Verifiable Encryption 

3.1 Definition of Verifiable Encryption 

We give a definition of a secure verifiable encryption scheme for a relation 1Z 
following [2]. 

Definition 1 (Secure Verifiable Encryption). Let 1Z be a binary relation 
and let Lr = {x| 3w : ( x , w) £ 1Z}. A secure verifiable encryption scheme for a 
relation 1Z consists of a two-party protocol ( P , V ) and a recovery algorithm R. Let 
Vp(E,x,k ) denote the output ofV when interacting with P on input ( E,x,k ), 
where k is a security parameter. The following properties must hold: 

Completeness: If P and V are honest then Vp(E, x, k) ^ ± for all (E, D ) £ G(l k ) 
and for all x £ Lr. 
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Validity: For all polynomial time P, all positive polynomials p(-), all sufficiently 
large k, and all ( E,D ) = G{l k ) we have 

Pr[(x,R(D,a))^TZ anda i'M : a := Vp(E,x, k)\ < -L . 

p{k) 

Computational Zero-Knowledge: For every V there exists a expected polynomial- 
time simulator Sy with black-box access to V s.t. for all distinguishers A, all 
positive polynomials p, all x £ Lr, and all sufficiently large k, we have 

Pr[A(E,x,cti) = i : (E, D) := C7(l*);o 0 := Sy(E.x.k): 

“i := l *> k ) : * e >< {°» !}|§ \ + • 

The completeness property should need no discussion. Validity ensures that 
it almost never happens that an honest verifier accepts simultaneously with 
recovery failing to compute a witness for x £ Lr. A consequence of this is that 
a verifiable encryption scheme is necessarily also a proof of knowledge of such a 
witness. Finally, the zero- knowledge condition assures the prover that no verifier 
can learn anything beyond the fact that x £ Lr and that a witness for x can be 
recovered from the output. 

We note that computational zero-knowledge is the best we can achieve due 
to the requirement that a witness is (and should be) recoverable from the con- 
versation. Also note that the encryption scheme must be semantically secure (cf. 
Section 2.2) in order for the zero-knowledge property to be satisfied. 

Our zero-knowledge definition allows the simulator to rewind the verifier. 
In some applications it may be desirable to require that simulation can be 
done without rewinding, since this implies that the protocol is concurrent zero- 
knowledge [18], i.e., even an arbitrary interleaving of different instances of the 
protocol is simulatable. We note that one variant of our protocol in fact has this 
stronger property. 

The verifiable encryption scheme for group homomorphisms described in [2] 
can be seen as a special case of our definition with respect to the relations 1Z that 
are considered. In particular, the relation defined by {(x,w)\x = f(w)}, where 
/ is a group homomorphism, is a subclass of the relations having a U-protocol. 

3.2 A Verifiable Encryption Scheme 

We first present a very simple but not very efficient scheme, and then move on 
with improvements. 

Let ( G,E,D ) be a semantically secure crypto system. Let ( E,D ) := G(l k ) 
be the public and secret key of a third party. Also, we are given a relation with a 
T-protocol defined by procedures <j t , a s , and a v . Assume for simplicity that the 
verifier can choose only between 0 and 1 as challenges. The idea is now simply 
that given x, the prover will start a conversation in the V-protocol. Using his 
knowledge of a witness w he can compute answers to both c = 0 and c = 1, and 



Verifiable Encryption, Group Encryption, and Their Applications 337 


P(x,w,E) 

V{x,E) 

ro, ri €r {0, l} e , ( t , r t ) := cr t ( x, 

4 

so ■= crs(x,w,rt, 1), si := a s (x,u 

,rt, 0) 

eo := E(ro, so), ei := E(n, si) 

c ' c {0, 1} 

o: = 

f(c,ec,s,t) 1 = a v (x,t,c,s), e c = E(r,s) 

1 T otherwise 


i 

m 


Fig. 1 . One round of the basic verifiable encryption scheme. Recovery takes place 
by decrypting e 5 and using the soundness property of the 17-protocol to compute 
w. The parameter i is defined by the encryption algorithm E. 


he supplies encryptions under E of both of these. The verifier can now ask P 
to open one of these encryptions to check if it contains a valid answer. If this 
is true for both encryptions, decrypting the other one allows to recover w (due 
to the properties of the 17-protocol), whereas if at least one of them contains 
garbage, the prover will be caught with probability 1/2. Concretely, we have the 
following. (The proof can be found in the full version of this paper [5].) 

Theorem 1. Let 1Z be a relation that has a E -protocol. The protocol depicted 
in Figure 1 is a secure verifiable encryption scheme for IZ when sequentially 
repeated k times. 

The main drawback of our basic scheme is that the verifier must store an 
encryption and a conversation (accepting triple) in the 17-protocol for each rep- 
etition and that it needs to be repeated G(k) times sequentially. In Figure 2 
an improved scheme is depicted, that allows to store much less encryptions and 
triples. The idea is that in the basic step, the prover will supply a valid triple 
where the challenge is 0, but where the prover’s response is encrypted. The ver- 
ifier can then ask the prover either to open the encryption or to supply a valid 
answer to challenge 1. The point is that the verifier only needs to remember the 
unopened encryptions and the related triples. 

Furthermore, the protocol is made constant-round by relying on a commit- 
ment scheme, i.e., a function Com that takes as input the string a to commit 
to and an additional input string (3. Then a player can commit by sending 
T := Com(a,f3), where (3 is randomly chosen (we write just Com(a) in the fol- 
lowing). The commitment scheme must possess the following three properties: 
Hiding: The distributions of commitments to different a’s must be computation- 
ally indistinguishable. 
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P(x,w,E) 


V(x,E) 

for i =Vl : , ... ,k: 

( ti,fi ) := o t {x,w), Si := o s (x,w 

ti,0,h) 


n €r {0,1 } e ,ei := E( ri ,s~i ) 

T ■— Com((t\.e\) ,(tk,ek)) 

T 



c CSr2^-^ 

s.t. |C| = u 

( a s (x f w, fi,l) ieC 

Sl \s, i ^ C s 1 ,... 

open T 

s k ,{n\i?C} 


o:= Ue i ,s lM ieC} 

(%M<r v (x,ti,l,Si) 

ieC 

\l = o v {x,t i ,Q,s i ),e i = E(r i , 

Si) itc 

u 

otherwise 




l 

p) 


Fig. 2. An improved verifiable encryption scheme using a commitment scheme. 
Reconstruction is straightforward by decrypting the ej’s in the output. The in- 
tegers k, u, and l are security parameters and \C\ denotes the cardinality of the 
set C. 


Binding: It should be computationally hard to open a commitment in two differ- 
ent ways, i.e., to find a / a' and (3,(3' such that Comp, (3) = Com(a! ,(3'). 
Trapdoor: There is a piece of trapdoor information the knowledge of which allow 
to open a commitment in an arbitrary way. 

There are numerous efficient constructions known of such schemes (see for 
instance [14]), but in fact our assumptions in this scenario are already sufficient 
to ensure their existence: 1Z must be a hard relation, in order for our scenario 
to make sense and it is known that a A-protocol for a hard relation implies the 
existence of a secure commitment scheme with these three properties [16] . 

We require a once-and-for-all set-up phase for the commitment schemes where 
the verifier generates the Com- function together with the trapdoor information, 
sends the function to the prover, and proves knowledge of the trapdoor. For sim- 
plicity, we do not include this set-up phase explicitly in the protocol description; 
nevertheless, this set-up phase needs to be considered in the proof of security. 

Theorem 2. Let 1Z be a relation possessing a E-protocol. The protocol depicted 
in Figure 2, when using a secure commitment scheme Com, is a secure verifiable 
encryption scheme for 1Z for any u such that log k < u < k/ 2. 

The proof can be found in the full version of this paper [5] . 
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There is another variant of our protocol which requires 4 messages, but has 
the advantage of being secure against an unbounded prover. Here, V commits to 
his choice of C in advance, P sends (ii, ei), ( tk , &k), V opens the commitment, 
and P responds to the C revealed as above. This can be proven zero-knowledge 
using techniques from [23]. 

In practice one is often interested in a particular error probability e. There 
will then be many values of k and it with 1/ (*) < e, and one should then of 
course choose whatever particular k and u fit the application best. 

It is easy to make a non-interactive variant of this construction using the 
Fiat-Shamir heuristic: the prover computes (ti, ei), . . . , (tk, &k), determines the 
challenge C from h((ti, ef ), . . . , (tk, e*)), where h is some suitable (hash) func- 
tion, and finally appends valid responses (si,tt),... , (sk,rk). All this can be 
verified as before by V. It is straightforward to show that this is secure in the 
random oracle model, replacing calls to h by calls to the oracle. 

4 Verifiable Group Encryption 

In our basic primitive, the prover and the verifier have to trust the third party 
to behave as expected. That is, the prover must trust him/her to recover the 
encrypted witness when appropriate only, whereas the verifier relies on the third 
party to decrypt the witness when required. To achieve higher security against 
fraudulent third parties, we extend our basic primitive to verifiable group en- 
cryption, which on its own is a useful concept in many cases. Here, the witness 
gets encrypted for n third parties, called proxies, such that only designated sub- 
sets of them can jointly recover the witness. Although it superficially looks more 
complicated, it turns out to be trivial to implement using our basic verifiable 
encryption scheme, as we shall see. 

Informally, verifiable group encryption takes place in a similar model as ordi- 
nary verifiable encryption, that is, P and V interact on common input x, where 
P knows w such that (x, w) e 1Z. As before, it is instructive to think of w as 
being a signature on x w.r.t. some fixed public key. Now, however, n public 
encryption keys E), . . . , E n are involved, and a monotone access structure T 
over {1, . . . , n} is agreed upon by P and V. Then an honest V obtains from P 
encryptions £j (itq ) , . . . , E n (w n ) such that a valid w can be reconstructed from 
a subset A of the Wi s, if A e r, whereas a set T ^ T gives no information. 
Finally, if honest proxies forming a set A £ r decide to reconstruct w, they can 
do so successfully, even if dishonest proxies also participate. 

This notion of “group encryption” should not be confused with the notion 
of threshold encryption [17]. In the latter case, a number of parties publishes a 
single public key and the access structure is determined by these parties during 
the setup of the system. In contrast, a group encryption scheme allows to choose 
a (possibly different) access structure each time when (verifiably) encrypting a 
message. Another distinguishing feature is that a group encryption enables the 
proxies to choose their encryption keys independent of each other and allows 
them even to use different encryption schemes (perfect separability) . We finally 
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note that one could also use any threshold encryption scheme on its own to 
achieve higher security against fraudulent third parties for the basic verifiable 
encryption scheme. However, such a solution will not offer perfect separability 
and not fit the framework of an existing public key infrastructure we are target- 
ing. 


4.1 Realization 

A verifiable group encryption scheme can be realized using a secret sharing 
scheme for the chosen access structure T. We just need to observe that our veri- 
fiable encryption scheme from before works based on any public key encryption 
scheme. In particular, we will execute it using the following encryption scheme: 
given input s, use the given secret sharing scheme with r to get shares si, . . . ,s n 
of s, and then let the output ciphertext be Ei(si ), . . . , E n (s n ). Clearly, one can 
compute s from a correctly formed ciphertext, if one can decrypt a subset of the 
Si s corresponding to a set in jP. 

From the construction it is clear that, due to the properties of secret sharing 
schemes, the proxies can reconstruct the witness when given Fd(si), . . . , E n (s n ) 
and r by decrypting, pooling the shares, reconstructing s, and then using the 
properties of the basic verifiable encryption protocol. This is possible even with 
the participation of malicious proxies as long as the honest proxies form a set 
A e r, however, they might not be able to do this efficiently in the presence 
of malicious proxies who provide incorrect values for the Sj’s. If the encryption 
scheme used allows proxy i to prove that s* is indeed the value encrypted in Ei(si) 
directly, the problem is trivial to solve. If this is not the case, we can modify 
the encryption scheme and encrypt the random choices used for encryption of 
the shares as well for the respective proxies, i.e., our encryption scheme would 
output (.Ei("ri, Si),FJi(fi, n)), . . . , (E n (r n ,s n ),E n (r„,r„)). Now, proxy i can 
prove correct decryption by providing r t and s t . 

In case the scheme is made non-interactive using the Fiat-Shamir heuris- 
tic [20], the access structure r should also be included in the hash-function. 

4.2 Verifiable Group Encryption vs. Verifiable Signature Sharing 

The concept of verifiable signature sharing (V27S) [10,22] involves a signature 
receiver who distributes shares of a signature on a public message to a set of 
proxies such that all proxies can verify that this has been done correctly, and a 
qualified set of proxies can always reconstruct the signature, even in the presence 
of malicious proxies. Trivially, a verifiable group encryption scheme can be used 
to implement YL’S: we simply execute verifiable group encryption of a signature 
on the given message, such that the signature receiver plays the role of the prover, 
and the proxies together play the role of the verifier. If the interactive variant 
is used, this is done by having proxies generate challenges for the prover by 
collective coin-flipping. With the non-interactive variant, no special precautions 
are needed, and the scheme becomes even publicly verifiable. The possibility to 
use any encryption scheme for the individual proxies solves an open problem 
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raised in [10]. Moreover, a (publicly) verifiable secret sharing scheme, e.g., see 
[32], can be obtained along the same lines. 

5 Application to Group Signatures and Identity Escrow 

A group signature scheme [6,8,9,11,12,29] allows a member of a group of users 
to sign a message on the group’s behalf. The scheme protects the privacy of 
signers in that the verifier should not be able to find the identity of the signer. 
However, to handle special cases where the scheme is misused by some user, there 
is a revocation manager who can indeed find the identity of the signer from the 
signature. In some schemes, there is also a membership manager who takes care 
of the key set-up and enrollment of users in the group. No collusion of users (even 
including the membership manager) should be able to forge signatures such that 
it is not possible for the revocation manager to reveal the identity of the signer. 
Furthermore, no collusion of users (even including both managers) should be able 
to forge signatures such that upon revocation they seem to originate from another 
user. Moreover, we want to minimize the involvement of parties in the protocols. 
This means that managers should not be involved in creating a signature, and 
ideally also that the revocation manager is not involved in establishing the group, 
and is in fact completely inactive until revocation of anonymity is needed. 

The interactive equivalent of a group signature scheme is a group identifica- 
tion scheme with revocable anonymity (also called identity escrow scheme [26]). 
Here, the goal is for a group member to anonymously identify himself as a mem- 
ber — rather than being able to sign a message. Except for this, the security 
properties of group signatures carry over directly. 

For both kind of schemes, it is of course desirable that they possess perfect 
separability, i.e., that they can be implemented based on keys that users and 
managers already have established, even if those keys were not intended to be 
used in these schemes. 

In the following, we show how to use a verifiable encryption scheme to design 
a separable group identification scheme with revocable anonymity. This scheme 
can be proved secure, assuming only security of the encryption, signature, and 
identification schemes involved. We then modify this to a group signature scheme 
using the Fiat-Shamir heuristic [20]. This scheme is secure assuming in addition 
that the heuristic is valid for the protocol and hash function involved. It can be 
proved secure with no additional assumptions in the random oracle model. For 
a formal model of group signatures and identity escrow we refer to [9,26]. 

5.1 Realizations 

We describe the basic idea for the case where the users’ public keys are of some 
signature schemes and then extend the scheme such that the users’ public keys 
can also be of some interactive identification schemes. 

We assume we are given public keys Pi, . . . , P n of secure signature schemes 
for n players, and that for each signature scheme employed, there is a 17-protocol 
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for the relation {(a:, to) | w is a valid signature on message x}. As mentioned 
earlier, this is true of any signature scheme for which reduction functions to a 
group-homomorphism exists [2] . To prove our scheme’s security formally, we need 
that the signature schemes are secure against chosen message attacks. Finally, we 
assume that a revocation manager has been selected, who has published a public 
key E of a semantically secure encryption scheme. By Lemma 1 and Theorem 2 
we get a group identification scheme with revocable anonymity as follows: 

The group’s public key consists just of the membership manager’s signature 
(certificate) on the tuple (Pi, ... , P n ). To authenticate himself as a group mem- 
ber, the prover computes the signature on message x (randomly chosen by the 
verifier) with respect to his/her public key. Then the prover and the verifier 
carry out the verifiable encryption protocol for the relation {(x,w)\w is a valid 
signature on x with respect to one of the public keys P%, . . . , P n }, where encryp- 
tion public key used is E, the one of the revocation manager. We can do this 
because, by Lemma 1, an efficient A-protocol for this relation can be derived 
from the A-protocols we assumed exist for each single signature scheme. 

This derived A-protocol proves that w is a valid signature w.r.t. one of the 
public keys, but yields no information about which one is involved. This and the 
zero-knowledge property of the verifiable encryption scheme implies anonymity 
for the prover. Furthermore, if some coalition of users could impersonate another 
user, then they could also forge this user’s signatures. Finally, due to the validity 
of the verifiable encryption, the anonymity can be revoked just by decryption. 
With respect to the revocation manager’s ability to prove correct decryption 
of the witness, the remarks of the previous section applies: either the underly- 
ing encryption scheme allows this or, if not, the verifiable encryption scheme is 
modified as described there. 

Clearly, applying the Fiat-Shamir heuristic [20] yields a group signature 
scheme from this construction: the message x which was chosen by the verifier 
before, will now be the message to be signed. And we hash x and the prover’s 
first message in the verifiable encryption protocol to get a challenge. This can 
be proved secure in the random oracle model. In summary, we have argued: 

Theorem 3. Given any set of secure signature schemes with an associated E- 
protocol each and any secure public key encryption scheme, a secure separable 
group identification scheme with revocable anonymity and a separable group sig- 
nature scheme secure in the random oracle model can be constructed. The com- 
plexities of the schemes are linear in the group’s size, the security parameter, 
and in the complexity of the signature and encryption schemes. 

The full version of this paper [5] discusses how to cope with the situation 
were we are not given a number of signature public keys, but instead public keys 
of interactive identification protocols. The pitfall here is that we cannot use these 
schemes directly as revocation would reveal a user’s secret. The full version also 
provides a method to exploit the A-protocol of any identification scheme such 
that one can nevertheless build a group identification/signature scheme from it. 
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5.2 Extensions and Related Work 

Extensions to generalized group identification schemes and schemes with higher 
protection against fraudulent anonymity revocation are discussed in the full ver- 
sion of this paper [5] . 

Comparing our group signature and identity escrow schemes with previous 
proposals, we find that ours are the only ones that provide perfect separability. 
The identity escrow scheme in [26] provides only partial separability, i.e., separa- 
bility w.r.t. the revocation manager; the group signature scheme in [8] provides 
only weak separability, i.e., group members can only use RSA or discrete loga- 
rithm based keys of a given size and the membership manager can only use the 
RSA signature scheme together with a particular algebraic padding function. 

The schemes proposed in [8,9,26] have the property that the group’s public 
key does not depend on the size of the group. These scheme are an order of 
magnitude more efficient than ours. However, our schemes have some advantages 
over them. Namely, in order to exclude group members, the membership manager 
has to interact with all remaining group members in these schemes whereas in 
our solution the membership manager just publishes a new group public key (our 
scheme does not require the group members to participate in the setup at all). 
Furthermore, only the kind of schemes as ours allows to make it publicly known 
who the group members are (note signatures are still anonymous) while this is 
not possible for the other type of scheme. Finally, generalized group signature 
schemes can only be realized this way. Therefore, we believe that schemes where 
the group’s public key reflects the group’s size and structure are indeed the only 
solution for certain applications. 

It remains an open problem to find efficient schemes providing perfect sepa- 
rability and where the group’s public key does not depend on the group’s size. 
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Abstract. We introduce an efficient method for performing computa- 
tion on encrypted data, allowing addition of ElGamal encrypted plain- 
texts. We demonstrate a solution that is robust and leaks no information 
to a minority of colluding cheaters. Our focus is on a three-player solu- 
tion, but we also consider generalization to a larger number of players. 
The amount of work is exponential in the number of players, but reason- 
able for small sets. 

Keywords: addition, directed decryption, ElGamal, fast-track, repeti- 
tion robustness 


1 Introduction 

For a number of public-key encryption schemes, it possible to compose plaintexts 
multiplicatively through simple manipulation of their corresponding ciphertexts, 
without knowledge of an associated decryption key. For ElGamal encryption, 
this is achieved by component-wise multiplication of individual ciphertexts. If 
the ciphertexts have been encrypted under the same public key, the result is an 
ElGamal encryption of the product of the plaintexts. It is known that there can 
not exist a non-interactive method for computing the sum of plaintexts in this 
setting given only the ciphertexts. If so, then it would be possible to break the 
Decision Diffie-Hellman Assumption . 1 Furthermore, even allowing interaction, 
and working in a setting where the decryption key is held distributively, it is not 
known how to compute the sum of plaintexts without invocation of costly general 
secure multiparty computation methods. In this paper, we propose the first 
efficient solution for performing the operation of distributed ElGamal plaintext 

1 The ability to perform non-interactive plaintext addition implies the ability to build 
a comparitor that determines whether a ciphertext corresponds to a particular plain- 
text. This would contradict the semantic security of the cipher, which is known to 
hold if the DDH assumption holds. The comparitor would add an encryption of the 
additive inverse of the assumed plaintext, and determine whether the result of the 
addition is an encryption of the value zero, which is the only recognizable ciphertext. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 346-358, 2000. 
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addition. However, we note that our solution is only efficient for small number of 
participants, as its asymptotic costs are exponential in the number of players. We 
hope that improvements to our techniques will be able to remove this restriction. 

Our goal is therefore to solve the following problem: Two ElGamal cipher- 
texts, both encrypted using a public key y, are given to a set of n players, among 
whom the corresponding secret key x is shared using a standard (k, n)-threshold 
secret sharing scheme. The players wish to generate an encryption of the sum 
of the encrypted plaintexts. We want the computation to be done in a robust 
manner, i.e., such that cheating will be detected and traced with an overwhelm- 
ing probability. At the same time, it must be performed without revealing any 
information to a minority of dishonest and colluding players. In the main body 
of the paper, we focus on a (2, 3)-threshold solution, but this solution generalizes 
rather straightforwardly to more players. (However, as mentioned, the solution 
is only practical for small sets.) 

We want our multiplicative group to be closed under addition. Working in 
the field F[2*] gives us a close approximation of this. In order not to leak the 
residuosity of results, we additionally require the size of the multiplicative group 
to be prime. We review the related security aspects of this modification. 

Our method is based on iterated additive resharing of secrets and on a handful 
of scheduling tricks. Since an important goal is for the protocol to be computa- 
tionally efficient, we avoid traditional zero- knowledge based robustness methods, 
and employ instead the so-called repetition robustness method [9]. We expand on 
the use of this method by offering a new type of setting in which it is beneficial. 
We also employ the ideas of fast-track computation, optimizing the scheme for 
the case where no players attempt to corrupt the computation. (See [7] for the 
introduction of the term and, e.g., [5] for an early introduction to the idea.) 

Apart from addressing a long open problem, we introduce methods for effi- 
cient computation that may be of independent interest. For example, our result 
might serve as a possible alternative basis for general secure multiparty com- 
putation. It is interesting to note that this would give us a solution where one 
pays for addition, while multiplications are (almost) for free. This is in contrast 
to the usual case for general secure multiparty computation, where addition is 
free while multiplication is relatively costly. It appears that for some types of 
computations, our approach would lower the cost of the function evaluation. 

Our building block may also find applications in more specific multi-party 
settings, such as certification schemes, payment schemes, and election schemes. 
This may be both to allow new functionality, and to lower computational costs 
by allowing for alternative ways of arriving at a given result. It is interesting to 
note that it sometimes may lower computational costs to perform computation 
on encrypted data, compared to traditional secret-sharing methods in which each 
party needs to prove that he performed the correct computation. 

We therefore see our work as an interesting step in a direction that may 
provide new types of solutions for multi-party computation. We do not, however, 
view the work presented here to be conclusive in any manner. Instead, we want 
to bring the attention to several remaining open problems. Most notable among 
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these are the questions of whether there exists an efficient and secure two-player 
solution, and whether an efficient solution can be developed for large sets of 
players, ours being efficient only for moderate sized sets. 

Outline. We begin with a review of related work (Section 2). We then introduce 
our building blocks and design methods (Section 3), and present a description 
of a non-robust solution (Section 4). In Section 5, we show how to incorporate 
robustness into that solution. We prove that our solution satisfies our stated 
requirements in Appendix A. 

2 Related Work 

We introduce the notion of one-splitting. This is superficially related to standard 
secret-sharing methods [17], and in particular to zero-sharing (see, e.g., [11]). The 
latter involves superimposition of several polynomials, each encoding the value 
zero, in order to create an unknown polynomial that likewise encodes a zero. 
While the technical differences are substantial, the principles are related. Our 
methods involve composition of multiple ciphertexts, resulting in a set of new 
ciphertexts such that the sum of their plaintexts equals the value one. 

We use the notion of repetition robustness, introduced in [9] and later also 
employed in [10], to make our protocol robust without excessive use of zero- 
knowledge proofs. If zero-knowledge proofs were to be used instead, it would ap- 
pear necessary to invoke computationally costly cut-and-choose methods. (While 
there is nothing inherent in the setting that requires a cut-and-choose approach, 
we are not aware of any other kind of zero-knowledge method that can be used 
to perform the required proof.) 

The version of repetition robustness outlined in [9,10] relies on the use of 
permutation, and potentially requires a large number of repetitions in order to 
render the success probability of an attacker sufficiently small. Our flavor of the 
principle, however, does not involve permutation, and only requires two runs of 
the protocol to ensure a negligible probability of success for an attacker. This 
is because our protocol by its very nature destroys the homomorphic properties 
exploitable by an attacker in [9,10]. 

Our solution is based on the principles of fast-track computation [7,5]. The 
guiding aim here is to streamline the efficiency of the protocol for the case 
in which no player attempts to corrupt the output, in the hope that this is 
the most common case. This translates to inexpensive methods for detection of 
errors, followed by a conditional execution of potentially expensive methods for 
determining which player misbehaved. 

We use standard methods for proving correctness of exponentiation. These 
are related to verification of undeniable signatures [2,1] and to discrete log based 
signatures. We refer to [8] for methods relating to the latter approach. 

All computation takes place in F[ 2*], where q = 2* — 1 is prime. This is 
done to avoid leaks of information relating to the Jacobi symbol of the result 
of the computation, and to achieve “approximate closure” of the multiplicative 



Addition of ElGamal Plaintexts 349 


group under addition. It should be noted that performing the computation in 
this structure allows for more efficient attacks than for the standard parame- 
ter choices, as shown by Coppersmith [3]. Coppersmith’s result improves the 
asymptotic running time of the special number field sieve. Implementations [12] 
suggest that if we perform all arithmetic in a field F[ 2 2203 — 1] (corresponding 
to the smallest Mersenne prime of the approximate size we want), instead of the 
standard choice of 1024 bit moduli, the computational hardness of computing 
discrete logs would be maintained. We note that the speed of multiplication in 
this structure is about a quarter of the speed compared to F\p] for \p\ = 1024 if 
software is used, and about half if special-purpose hardware is employed. 

3 Building Blocks and Design Methods 

We employ the standard cryptographic model in which players are modeled by 
polynomial-time Turing Machines. We make the common assumption that a 
minority of players may be dishonest and may collude. A further requirement 
is the existence of an authenticated broadcast channel among players. We first 
review standard building blocks presented in the literature, and then introduce 
some building blocks peculiar to the protocols in this paper. 

3.1 Standard Building Blocks 

Group structure. The ElGamal cryptosystem, which we will use, may operate 
over any of a number of choices of group in which the discrete log problem is 
infeasible (See [13], for a discussion and list of some proposed group choices.) 
We let g denote a generator of F* [2*] , where p = 2* — 1 is prime. We note that 
the additive and multiplicative groups overlap on all elements but 0. 

Secret sharing. We assume that the private decryption key x is shared among 
players using (k, n)-threshold secret sharing [17], and denote by x t the secret key 
share of x held by player i. Here, x = J2ies x i^Si, where S is a set of k players, 
and Xsi is the Lagrange coefficient for the set S and player i. It is possible to 
generate and distribute x using any of a number of well studied protocols. See, 
e.g., [6] for a brief overview and some caveats. 

ElGamal encryption. In the ElGamal cryptosystem, the private key is an 
integer x selected uniformly at random from Z p . The corresponding public key 
is y = g x . In order to encrypt a value m e F*[ 2 f ] under public key y, we pick a 
random element a Z p , and compute the ciphertext as (a, b) = ( y a m , g a ). (We 
note that we allow a more “liberal” choice of message encodings than for standard 
ElGamal encryption, since every element but zero is in the multiplicative group.) 

Standard and directed decryption. The plaintext message can be computed 
from a ciphertext (a, b) by computing a/b x , where x is the secret decryption key. 
Note that this trivially allows distribution, where each player, holding an additive 
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share x t of x, computes and publishes B, = b Xi , from which B = b x can easily be 
constructed. We obtain a directed decryption for a player i by having all players 
but i publish their shares of B, after which player i locally computes B t , then 
B, and finally the plaintext m = a/ B. 

Multiplication and division of ciphertexts. Let E{m\) = (ai,6i) and 
E(m 2) = (02,62) be two ciphertexts, corresponding to plaintexts mi and m2. 
We say that E(m 3) = E(m\)E(m2) = (0102, 6162) is the product of E(m\) and 
E(m 2), since its plaintext m3 = mim2- Similarly, we say that the quotient of two 
ciphertexts is E{ms) = E(mi)/E(m2) = (ai02 _1 , 6 i 62 _1 ), where the resulting 
ciphertext corresponds to the plaintext m3 = mim2 _1 . 

Distributed blinding. For k players to blind a ciphertext E(m), each player 
i selects a random number r, £ F*[2*] and computes and publishes E(ri). 
Then, the players compute E(m) = E(m) n j k f E{r{), for which we have m = 
mnti r i- The players unblind E(m) by computing E(m )/(\\ i=1 E(n)% where 
E(ri) are the individual blinding factors applied in the blinding step. 

Plaintext equality test. This is a distributed protocol for determining whether 
the plaintexts corresponding to two ElGamal ciphertexts are equal. Given two 
ciphertexts, E\ and E2, we compute (a, 6) = E1/E2. Using, e.g., the techniques 
described in [8], we then determine in a distributed fashion whether log y a = 
log g b. If this equality holds, then the two plaintexts are determined to be equal. 


3.2 Special Building Blocks 

We now introduce some building blocks peculiar to our protocols in this paper. 

One-splitting. Two parties can compute a one-splitting, i.e., a set of cipher- 
texts for which the plaintext sum is congruent to 1, using the following approach. 

1. The first player selects a random value w\ £ u F[2*] — {0, 1}, and computes 
Wi = 1 - w \ . He encrypts these two plaintexts, resulting in the ciphertexts 
Ei and E\ . We call this portion of the one-splitting the “root”. 

2. The second player selects two random numbers, W2i € u F[2*] — {0, 1}, where 
1 < i < 2, and computes W2i = 1 — W2j ■ He encrypts these four plaintexts, 
giving him U21, E21, E22 and f?22- We call this portion of the one-splitting 
the “leaves”. 

3. Both parties commit to their ciphertexts, and then decommit and compute 
the new ciphertext quadruple (5 i,£2,^3,^4 = {E1E21, -E1-E21, E1E22, -E1E22). 
These constitute a one-splitting: It is easy to see that J 2 i= 1 £* = 1- 

Remark: The one-splitting protocol generalizes straightforwardly to any num- 
ber of players, but incurs costs exponential in the number of players. It is there- 
fore only suited to small numbers of players. In this paper, we consider a setting 
in which only two (out of three) players engage in the one-splitting. 
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Blinded round-robin addition. Let ( A,B,C ) correspond to three partici- 
pating players, and let (Ma, M b , Me) e (F[2*]) 3 correspond to their respective 
private inputs. In this protocol, a player “sends” a message m to another player 
by publishing an encryption E(m), which all players then directively decrypt 
for the target player. The effect of this procedure is to establish the ciphertext 
E(m) as a commitment to the transmitted message. This commitment can later 
be used to trace cheaters if necessary. The blinded round-robin addition protocol 
is now as follows. 

1. A selects A G u F[ 2*], and then sends Si = Ma + A to B and A to C. 

2. B computes S 2 = Si + Mb and sends it to C. 

3. C computes S 3 = S 2 + Me — A, and publishes an ElGamal encryption E(Ss) 
under public key y. 

Remark 1: We note that the above protocol will fail to hide the result if S 3 = 0. 
This only happens with a negligible probability for independent and uniformly 
distributed inputs. For inputs of “dangerous” distributions, we need to split 
each input value into two portions before performing the addition. This will be 
described later in the section. 

Remark 2: The addition protocol can be extended to k > 3 players by having 
each of the k players compute a (k, /ej-threshold sharing of her value. Each player 
then distributes the pieces of her sharing among all k players. Then, in a round- 
robin addition, the final player obtains the sum of all shares, for which she 
outputs the corresponding ciphertext. 

Repetition robustness. While standard zero-knowledge based methods can 
be employed to achieve robustness, the cost for doing so would be substantial. 
We show how to use a recently introduced method, so-called repetition robustness 
[9], to obtain robustness at low cost. This method works by performing portions 
of the computation twice, using different random strings for each invocation, 
and comparing the resulting outputs. We repeat a portion relating to the one- 
splitting once, and a portion relating to the addition of partial results once, 
giving us a robust result with a cost less than three times that of the non-robust 
version of the protocol. 

Scheduling tricks. In the primitives we develop, different relations are learned 
by the different players, and it becomes of vital importance to schedule carefully 
what player performs which tasks. This is to prevent any player from ending 
up with a fully determined set of equations and thereby learning information 
about the plaintexts. The resulting scheduling techniques are remotely related 
to standard blinding methods. The intuition behind our scheduling methods is 
as follows: In the different building blocks we have presented, it can be seen 
that the different parties learn different amounts or relations. For example, the 
third player in the blinded round-robin addition protocol we presented learns the 
product of the blinding factor and the message, whereas the other players do not 
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learn this piece of information. In order to ascertain that no player learns any 
function of the secret information, it is important to schedule the execution of the 
different building blocks in a manner that does not allow any one participant (or 
more generally, any set controlled by the adversary) to collect enough relations 
that he can compute any non-trivial function of secret information. (We will 
solidify this in the appendix by showing how each party can produce a simulation 
that is coherent with his view and any set of secret inputs.) 

Avoiding zero. ElGamal encryption has the property that the zero plaintext 
cannot be encrypted, but must be avoided or otherwise encoded, as its cor- 
responding ciphertext is distinguishable from ciphertexts of other plaintexts. 
Depending on the use of our proposed scheme, and depending on its input, a 
related problem may be that the whereas no inputs are encryptions of a zero, 
an intermediary value or an output may still be. In order to avoid this prob- 
lem, one can represent every item of the computation as a pair of ciphertexts, 
such that their plaintexts, if added, correspond to the value to be manipulated. 
We note that it is easy, given our methods, to produce such a “pair representa- 
tion” of each already encrypted input; this is done plainly by selecting a random 
ciphertext from the correct distribution, and subtracting this from the initial ci- 
phertext. The result, along with the random ciphertext, is a pair whose plaintext 
sum corresponds to the plaintext of the original ciphertext. This can be done to 
all values, after which the desired computation is performed on the ciphertext 
pairs instead of on the original ciphertexts. (Note that addition can simply be 
done element-wise, whereas multiplication becomes more laborious.) In our basic 
solution, we do not consider these issues. 

4 A Non-robust Solution (Protocol Pi) 

Using the building blocks introduced in the previous section, we now present 
a preliminary solution for addition of plaintexts. This solution is correct and 
complete and implements privacy, but is not robust. Our solution involves three 
players, two that are active (i.e., are involved in choosing random values) and 
one that is passive (i.e., only involved in adding values given to him.) 

Let E(m\) and E{rn-2) be the input ciphertexts, and E{m^) the output ci- 
phertext. We assume that the players share the secret decryption key x. Since 
our protocol is only secure against dishonest minorities, we will use a thresh- 
old scheme that reflects the same trust setting. In the three-player setting we 
consider here, that means that a (2, 3) -threshold scheme is employed. Call the 
following protocol V\: 

1. The two active parties compute a blinding factor E(r) using the methods of 
distributed blinding. 

2. The two active parties compute two independent one-splittings. Call these 
(£n, £12, £13, £14) and (£21, £22, £23, £24)- We let the first player set the root 
of the first one-splitting, and the leaves of the second. 



Addition of ElGamal Plaintexts 353 


3. In this step we perform the first robustness check; we will elaborate on this 
in the next section. 

4. Let /ij K = £j K E{r)E{rnj) for 1 < j < 2. The two parties use the methods of 
directed decryption to decrypt the resulting ciphertexts pj K , giving the first 
active player the plaintexts of the ciphertexts with k = 1, and the second 
active player the plaintexts of those with k = 3. The passive player gets the 
remaining plaintexts, i.e., those with k = 2 and k = 1. 

5. Each player computes the sum of the above plaintexts. All parties then add 
these using the blinded round-robin addition protocol. The scheduling order 
here is (2, 3, 1), i.e., the second active player begins and the first active player 
finishes, sandwiching the passive player. We denote the result of this step by 
E(M). 

6. The unblinded result E(m-s) = E(M)/E(r) is computed and output. 

5 Robustness 

The above protocol has three weaknesses with respect to robustness. First, it 
is possible for a cheater to publish ciphertext pairs for which it is not the case 
that the respective plaintexts add up to one; second, it is possible for a cheater 
to cause incorrect decryption; and third, it is possible for a cheater to publish a 
value which is not the sum of the plaintexts she received. We note that it is not 
possible to corrupt the computation in other places, as the blinding factor E(r) 
applied in the first step is cancelled in the last, and both of these computations 
are performed “in public” . 

We address avoidance of the first and the third attack in the following two 
subsections, starting with how to guarantee correct one-splittings, followed by 
a method for guaranteeing correct addition of plaintexts. The second attack is 
easily avoided by use of proofs of correct exponentiation (see e.g., [8]). 


5.1 Attaining Robustness I (Protocol "P 2 ) 

Let us consider how to guarantee that a one-splitting is correctly performed. Let 
(£ji, £j 2 i £j 3 , £ji) be the previously described one-splittings. The players run the 
following protocol to verify once for each such one-splitting 1 < j < 2: 

3a. The two active parties compute a blinding factor E(pj). 

3b. Let /3j K = £j K E(pj), for 1 < k < 4. Using directed decryption, the parties 
decrypt these ciphertexts, giving (as before) the first player the plaintext 
with k = 1, the second that with k = 3, and the third player the remaining 
two plaintexts. 

3c. Using the blinded round-robin addition method, they compute the sum of the 
plaintexts they have been given. Here, we use the scheduling order (1,3, 2). 
This corresponds to a change in the order of the active players with respect 
to the main protocol. The resulting ciphertext is E(Bj). 
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3d. The players determine if E(Bj) and E{pj) correspond to the same plaintexts, 
using the plaintext equality test building block. They accept iff the plaintexts 
are equal. 

As suggested by the enumeration of the above steps, this protocol is meant 
to be inserted in place of step 3 in protocol V\. We call the resulting protocol 
V 2 ■ Protocol V ‘2 implements privacy, as stated in the following lemma, whose 
proof is sketched in Appendix A. 

Lemma 1: Protocol V 2 implements privacy. More precisely, we can construct 
a simulator E such that an adversary A controlling a minority of the players 
cannot distinguish the view of a real protocol run from the view generated by 
E, assuming that the adversary only corrupts a minority of participants, and 
that the DDH problem over F* [2*] is hard. □ 

If the parties accept in the above protocol, then the one-splitting must be 
correct with overwhelming probability; otherwise, somebody must have cheated. 
In other words, the protocol V 2 for proving valid one-splitting has following the 
property, relating to the robustness of the final scheme. 

Lemma 2: If the parties accept in the protocol described by steps 3a-3d, then 
with overwhelming probability, for each quadruple (£ji, £j 2 , £jz, Sja), 1 < 3 < 2, 
the sum of the corresponding plaintexts is congruent to 1. □ 

Note that the above protocol only detects cheating, but does not determine 
who cheated. In order to reveal the identity of a cheater, all the players pub- 
lish their protocol-specific inputs, after which the computation of each player is 
verified by each other player, and the cheater pinpointed. This procedure is, of 
course, only performed in case that the above protocol results in a reject. 

5.2 Attaining Robustness II (Protocol Vz) 

The protocol we called V\ is not robust, as it allows a cheating player to use an 
arbitrary value as input to the blinded round-robin addition step without being 
detected. Again, we can use the principles of repetition robustness to avoid this 
problem. More precisely, we can run the previously described protocols twice, 
using the same inputs but different random strings. The output can be shown 
(and will be shown) to be correct with an overwhelming probability if the two 
resulting ciphertexts correspond to the same plaintext values. 

In fact, we do not have to run the partially robust protocol V 2 twice. We 
can, instead, execute the protocol V 3 , which is as follows. 

1 . Run one instance of V\ and one instance of V 2 on the same inputs, but using 
independent random strings. 

2. Let E(mz) be the output of the above invocation of Vi and £(m 4 ) be the 
output of the above invocation of V 2 - These are compared using the plaintext 
equality test building block. If the equality holds, then the players output 
E(mz). Otherwise they must perform a protocol V 4 for identifying cheaters. 
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We note that the protocol Vi, which we do not elaborate on, can use general 
multi-party computation, and therefore be computationally expensive. However, 
since it is only employed in what are presumably rare cases of cheating, this is 
not a concern. (In other words, we take a fast-track or “optimistic” approach 
to robustness.) It is easy to see that protocol V 3 is correct and complete. Fur- 
thermore, as will be proven in Appendix A, it also implements privacy, and is 
robust. Thus we have the following two theorems. 

Theorem 1: Assuming V 4 is private (which will follow from its zero-knowledge 
properties), we have that protocol V 3 also is private. More precisely, we can 
construct a simulator £ such that an adversary A controlling exactly one of 
the players cannot distinguish the view of a real protocol run from the view 
generated by £. □ 

Theorem 2: Protocol V 3 is robust. That is, if E(rn-i) and A (m 2 ) are the input 
ciphertexts, then the output of V 3 will be E(m), where m = m| A m 2 - This 
is under the assumption that the adversary only corrupts a minority of partici- 
pants, and that the DDH problem over F* [2*] is hard. □ 
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A Proofs 

Proof of Lemma 1: (Sketch) 

Our approach is to show for each player that, given a view and a guess of an 
input pair (mi, m2), these two are consistent with each other. If this is the case 
for each possible pair (mi, m2), then each such pair is equally likely, given the 
view of the player, and thus, the protocol does not leak any information. For 
simplicity, we mark known, derived, and assumed quantities with a hat where it 
is not obvious from the context that they are known. 

Player 1: The first active player knows M and can therefore compute r = 
M /(mi + m2). He also knows w^- He has that 

! /iii = wlwhffhi 
P21 = wlwl^fhi 
PlA = WiW^P! 

P24 = wlW 22 p2 

For these four equations, there are five unknowns, wh, w\. 2 , w\, p±, and p2- No 
matter what the first player’s view is, it is consistent with any pair (mi, m2). 
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Player 2: Similarly, the second active player knows Rj. Thus, he knows p 3 = Rj. 
He also knows w 21 , w 22 , *wf- He has that 

! Ai3 = wlw^rnH 
P-23 = 

fii2 = w{w 21 p 
P22 = w{wl x p 

For these equations, there are four unknowns, w\, w 21 , w 22 , and r. Again, we 
get that this view is consistent with (mi, m 2 ). 

Player 3: Finally, the passive player knows the following eight equations: 

' P12 = wlw^rrhi 
Ai4 = w\w\ 2 rrhi 
P'22 = wlwhr^ 

P2A = wfwl 2 rm2 
P11 = W1W21P1 
fii3 = W1W22P1 
fihi = w\w\xP -2 

«. /?23 = w\w\ 2 p2 

For the above eight equations, there are nine unknowns, corresponding to all of 
the values that went into making the two one-splittings (namely W, w l W 21, 
w\ 2 , vi 2 \ , and w 22 )\ and the blinding factors, r, pi, and p 2 - Therefore, the passive 
player’s view is also consistent with any pair (mi, m 2 ), and thus, V 2 is private. 

□ . 

Remark 1. In this proof sketch and those that follow, we do not fully consider 
information that the players may derive from published ciphertexts. Under the 
DDH assumption, the semantic security of ElGamal assures that this information 
is negligible. We shall treat this issue formally in proofs provided in the full 
version of the paper. 

Corollary 1: Each component of V 2 is private, and in particular, Vi is. 

Claim 1: Any composition of private protocols with independent random strings 
for the players is private. 

Proof of Lemma 2: (Sketch) 

Assume that there is a polynomial-time cheating algorithm A for generating the 
transcripts of steps 1-3 of V 2 , so that the plaintext sum is not congruent to 1, 
and the honest players accept in step 3d with a non-negligible probability. We 
will show how to use A to break the DDH assumption in F*[2 4 ]. The input 
to the algorithm will be the ciphertexts that constitute the output from the 
honest players, namely those for the generation of (£ 1 , £ 2 , £ 3 , £ 4 ), and those for 
the generation of E(p). For E(B)/E(p) to correspond to the plaintext 1 requires 
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that the plaintexts in step 3c add up to p. Assume that the portions held by 
the honest players are known by the adversary. If A could produce a share so 
that the sum of the shares equals p with a non-negligible probability, A, together 
with simulations of the honest players (which takes a suspected value p as input), 
could be used to determine if E(p) is an encryption of p with a non-negligible 
success probability. This would break the DDH assumption in F*[ 2*], as it would 
show that the standard ElGamal encryption scheme is not semantically secure 
in this group. □. 

Proof of Theorem 1: (Sketch) 

Consider first the case in which no cheater is detected: Since V\ and V 2 both 
are private, so must be a composition of the two. Consider now the case in 
which a cheater is detected. If a cheater is detected in step 3 of V 2 , then the 
entire protocol run is halted after each player reveals his random strings. Since 
no player has computed any function of his secret inputs at this point, that 
cannot leak any information, and this event must be simulable. The privacy of 
V 3 therefore follows from the our choice of a good secure function evaluation 
protocol for P 4 . If the latter is zero-knowledge, V 3 will also be zero-knowledge. 
□ 

Proof of Theorem 2: (Sketch) 

We know from Lemma 2 that V 2 is robust, and that if the players accept in 
this sub-protocol, that the one-splittings with an overwhelming probability are 
correct. The robustness of step 4 of V\ follows from the soundness of the proof 
protocol for proving correct decryption. We will now show that if the result of 
the addition of plaintexts (step 5 of Pi) is corrupted, then it will be detected 
by the honest players with an overwhelming probability. In order for the results 
of the two computations (of V\ resp. V 2 ) to be equal, we have the following: 
the adversary must add a value vr\ in the addition step of the first protocol, 
and a value vr 2 in the second, where n is the blinding factor used in the first 
protocol, and r 2 that used in the second. Following the argument in the proof 
of Lemma 2, this would allow him to break the DDH assumption on F*[ 2*], as 
only encryptions of these values are available to him. Therefore, the output will, 
with overwhelming probability, only be accepted when it is correct. □ 
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Abstract. A t out of n threshold scheme is such that shares are dis- 
tributed to n participants so that any set of t participants can compute 
the secret, whereas any set of less than t participants gain no informa- 
tion about the secret. In [4], Desmedt and Frankel introduced a threshold 
scheme that can be used with any finite Abelian group. Hence it can be 
used to provide threshold RSA. In this scheme, the size of the share is 
on the order n times the size of the secret. Further, due to a complicated 
algebraic setting, and the large shares, this schemes requires a “large” 
amount of computations. Recent work have addressed how to reduce the 
resource requirements. Within this paper we provide improved meth- 
ods and demonstrate the computational requirements of the Desmedt- 
Frankel scheme using our method is, in many cases, better than other 
existing threshold RSA signature schemes. 

Keywords: threshold secret sharing, threshold cryptography, threshold 
RSA, cyclotomic polynomials 


1 Introduction 

RSA [18] is an important cryptographic scheme. The development of threshold 
RSA was problematic due to the fact that the modulus </>(N ), 1 2 as well any 
multiple, cannot be leaked to any of the shareholders. Threshold RSA has been 
examined in [10,5,6], then in [13,4,3], and most recently in [11,12,17,20]. The 
Desmedt-Frankel scheme [4] was the first secure threshold RSA sharing scheme. 
This is a zero-knowledge threshold scheme. Further this scheme is a group in- 
dependent scheme. That is, the shareholder reconstruction of the secret key is 
independent of the group. 3 Group independent schemes provide a flexible thresh- 
old secret sharing. However, there is a disadvantage when using this scheme. The 
disadvantage of the scheme is the amount of resources it requires, in the sense 
of memory (share size) and processing (computational time). The memory re- 
quirement is caused by share expansion. That is, the share expansion is such 

1 Here N = pipi, the product of two distinct primes, and 4>{N) = (pi — 1) • (p2 — 1). 

2 The true modulus is the Carmichael function A (A), which is a divisor of 4>{N) 

3 In most applications of threshold cryptography, the reconstructed value is a function 
of the secret key, not the secret key. For example a signature. In such cases the 
shareholder will obviously have to perform algebraic operations within the ring Zjv. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 359-372, 2000. 
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that shares will consist of 0(n) subshares drawn from the keyspace. The pro- 
cessing cost comes from the computing requirements. Computations will need 
to be performed on these large shares. Moreover, computations will need to be 
performed in what appears to be a complicated algebraic structure. These re- 
source requirements (and interest in development of robust, proactive, and/or 
verifiable threshold RSA) have led to developing other schemes. However the al- 
gebraic structure of the Desmedt-Frankel scheme is used in some of these other 
schemes (for example [3,13]). Work has been initiated in relieving some of the 
computational requirements for the Desmedt-Frankel scheme. In [8] , the authors 
established that within the Desmedt-Frankel scheme, the share size for each par- 
ticipant could be halved. In [15], we showed how to speed up the required com- 
putations when using the Desmedt-Frankel scheme to achieve a threshold RSA 
signature scheme. Most of the computation improvements were developed for the 
shareholder. Further, we provided a computation comparison of the Desmedt- 
Frankel signature scheme with the signature scheme recently developed by Shoup 
in [20] . Using this comparison we pointed out that in many cases the Desmedt- 
Frankel scheme performed better than the signature scheme developed by Shoup. 
Here we will provide further improvement in the performance of the Desmedt- 
Frankel scheme. Our analysis will show that the computational requirements on 
the shareholder, as described here, is always less than or equal to the compu- 
tational requirement for the shareholder as described in [15]. Furthermore, we 
will show that the computational requirement for the distributor is significantly 
better than those computation requirements stated by both [4] and [15]. 


1.1 The Desmedt Frankel Scheme 

1C represents a finite abelian group. The secret k is selected from 1C. A prime 
q is chosen such that q > n + 1. (We can assume, due to Bertrand’s postulate 
[16], that 0(q) = 0(n).) Let u represent a root of the cyclotomic polynomial 
rn(x) = J2jZ o 3 ^- Many of the computations are performed in the ring Z[u] = 
7,[x]/m(x). Notice that a* = JZjZo is a unit (an invertible element in Z [it] ) 
for each i (1 < i < q — 1) and that a, — aj is a unit for all distinct i,j, with 
1 < i,j < q — 1. 

Consider the group /C 9_1 where /C 9_1 = K. X 1C x ■ ■ ■ x 1C. U x € /C 9_1 then 
X = [xq,X\, . . . ,X q -2\. For all X\,X2 e /C 9-1 

Xi+X2= [£l,0 + 2:2,0, 2:1,1 + 2:2,1, . . .,Xi s q ^2 + 2:2, 9-2]. 

Let 0 = [0,0,..., 0], where 0 denotes the identity in 1C. For all b £ Z, bk = 
[bko, bk \ , . . . , bk q - 2 ]. where bki represents the element in 1C, formed by applying 
ki to itself b times. For u € Z[«], uk = [0, ko, ki,..., k q - 3 ] + [—k q - 2 , ■ ■ ■ , —k q - 2 ] = 
[— k q - 2 , —k q - 2 +ko , . . . , —k q - 2 +k q - 3 ]. Then u l+1 k = u(u l k). For all polynomials 

/ in u with integer coefficients, f(u) =bo + b\u H + bkU k , f(u) is defined by 

f(u)k = Yli=a bi (u'k). Then /C 9-1 is a module over Z [u] (for more information 
see [1]). 
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1.2 How Shares Are Computed 

Given secret k, we represent the secret by k = [k, 0, . . . , 0] £ /C 9_1 . There are 
two alternative to generate shares. 

Each shareholder Pi (i = 1, . . . , n) is given share s, in the following manner: 
First, si, S 2 , . . . , St-i are chosen uniformly random from /C 9_1 . For i > t, Si is 
defined by: 

s i = Vic, ■ y k°i ■ s ij (!) 

where Ci = {1, 2, . . . , t — 1, i} and for each j £ Ci 


n (° - <*h) 


VhG ; n («*-«*) 


(2) 


An alternate manner to compute the shares is to choose c\.c- 2 . c t -i uni- 

formly random from /C 9-1 , such that share s t is determined by 


«i 

S2 


1 a\ • • • a\ 1 
1 02 • • • 02 _1 


k 

Cl 


Sl J L 1 ’ 


(3) 


Therefore for each i, Si = k + a* • ci + • • • + a- _1 Ct_i. Hence Sj = g(ai) where 
g(x) = k + x ■ ci + • • • + a; t_1 c t _i. (In this case it is possible to compute the 
shares using Horner’s algorithm.) 


1.3 How the Secret k Is Computed 

When a set B of t participants wish to compute k £ 1C, they can determine k, 
of which the first component of A;, is the secret k. The participants determine k 
by 

k = Yl yui ■ Si ( 4 ) 

ieB 

where y^s is defined by (2). We will use the Fo to denote the function which 
maps any ( q — 1) tuple to its first coordinate. Thus k = F 0 (k). 

1.4 How Much Time Is Needed to Perform the Necessary Algebraic 
Operations 

One of our concerns is the amount of time each shareholder uses to perform 
algebraic operations, another is the amount of time the distributor needs to 
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perform algebraic operations. As described by equations (1) and (4), a required 
computation appears to be (Where in the case of distributor, they need to 
calculate such a y^s “t(n — f)” times.) 

There are two approaches to perform the needed calculation. The first ap- 
proach is described as follows: to perform yj jj ■ s,;, perform 

\ h#i 

The running time to compute yi tB ■ s-i in this manner, as stated by [4] is: 

Theorem 1. [4] The shareholder performs 0(tn 2 ) group operations, and 0(n) 
inverses. In addition to the time to choose randomly t—1 shares. The distributor 
performs 0(t 2 n 2 (n — t )) group operations and 0(tn(n — t )) inverse operations. 

A different method is suggested if group operation is slower than integer mul- 
tiplication. Instead of performing a series of group operations, a series of Z[u] 
operations are performed, until y l . B is formed, then one group operation is per- 
formed. In [4], the authors established the following: 

Theorem 2. [4] Each shareholder performs O(nflogn) group operations, 0(n) 
inverses, and 0(t 3 n 2 (log n) 2 ) elementary integer operations. In addition to the 
time needed to choose t — 1 random shares, the distributor performs 0(t 2 n(n — 
f)log 2 n) group operations, 0(tn(n — t)) inverse operations, and 0(t 4 n 2 (n — 
f)(logn) 2 ) elementary integer operations. 

2 Algorithms Which Improved Performance in the 
Desmedt-Frankel Scheme 

In [15], it was illustrated how to improve the performance of the Desmedt-Frankel 
scheme. Here, a series of results and algorithms were introduced in order to 
compute more efficiently. We discuss now those results that we will utilize. We 
will let To denote all sets of t participants. (In order to avoid confusion between 
an inverse of an a x with an inverse of an x G Z*, we will represent an inverse of 
* e Z* by r,.) 

Theorem 3. [15] 

(1) For all i,j, with i ^ j, a, — aj = 

(2) For all x, a e Z* — = = 1 + u a + b u a( ' k ~ v> , where k = xr a modg. 

ot a a a 

(3) If f is the product of r many cyclotomic polynomials of the form then 
all coefficients of f are bounded by —q r ~ 1 and q r ~ 1 . 

(4) For all i, aZ 1 = — - where k= r x modg. 

ot x 

(5) For all i and B e T 0 , y iB = u [t ^ TT 

ah ~i 



Improved Methods to Perform Threshold RSA 363 


(6) There exists an algorithm, that will calculate the product ofr many cyclotomic 
polynomials of the form with a running time of 0 (rn log 2 n). 

(7) There exists an algorithm that will calculate a~ x with a running time of 
0 (nlog 2 n). 

(8) There exist an algorithm that will calculate yi tB with a running time 
0{t 2 n log 2 n) 

As discussed in [15], consider the Desmedt-Frankel scheme implementing a thresh- 
old RSA signature. N is the product of two distinct primes, and 4>{N) is the 
Euler totient function. Then K is Z^ N y In threshold RSA no participant can 
be given any information concerning cj)(N ). Shares are actually (q — 1) dimen- 
sional vectors in the module Z From a shareholder’s view this will look like 
a (q — 1) dimensional integer vector. Thus computations can be performed using 
integer addition. The secret is d, where the RSA public key is (e, N) and ed = 1 
(mod 4>{N)). Therefore k = [d, 0, . . . , 0] = Ei 6 s If a set of t participants 

would like to sign a message m, then they will not send their subshares of d (i.e. 
they will NOT send y^ B ■ s[), but rather they will send partial signatures. They 
could send m Vi ’ B ' Si . If all t participants sent m y, ’ B ' 3 ’ then a combiner would get 
m d by 

m d = F 0 (m[ d ’ 0 ’"'’°]) = F 0 (H m*-***). 

ieB 

However we must point out that this method wastes resources. That is, the 

combiner is actually computing m-^’° °1 = [m d , 1 , 1 ,..., 1 ], whereas the only 

element of interest is m d . Consider the following method of computation. Recall 
that F 0 is a function which maps a j-tuple to its first coordinate. Now, suppose 
that B is a set of participants, with \B\ = t„ and that for all j € B, Zj € /C 9_1 , 
= [zj,o,Zj, Zj , g - 2 \. Then F 0 (U jeB m^) = F 0 (m£^°,m5>U . . . , 
m E^.o- 2 ) = -Po(toA’) = . So we see that to compute 

m d , all that is needed is F 0 (y^ B ■ s*)- 

Using a result developed by Desmedt-Frankel in [10], [15] established the 
following. 

Theorem 4. [15] To compute a partial signature, a shareholder must compute 
an integer then exponentiate m to this integer. The amount of time required for 
shareholder computations can be expressed as: The time to compute the integer 
is 0(nt(t log 2 n + log 2 nlog 2 </>(-/V)). The time to exponentiate is 0((tlog 2 n + 

log 2 <KA 0 )(log 2 A 0 2 ). 

Theorem 5. [15] The distributor is required to determine 0((t— 1 )n) elements 
from Z^jv). The distributor needs to compute 0((n — t + l)n) elements from 
Z 0 (jv)- The amount of time required for the distributor computations is 0(nt 2 (n— 
t) l°g 2 n log 2 

Both Theorem 4 and Theorem 5 incorporate a technique which calls for the 
computation of y t . B and then applying y i<B ■ s (a technique proposed by Theorem 
2). We now provide a better alternative. This method will apply a technique very 
similar to the technique proposed by Theorem 1. 
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3 Applying a Cyclotomic Polynomial to a Share 

Given a share s = [so, Si, . . . , Sg- 2 ], we will refer to so as the zeroth term, 
si as the first term, etc. Recall the application of u to a share s as: us = 
[— S q -2, So — S q -2, Si — S q -2, ■ ■ ■ , S q -3~ Sq_a]. Then U 2 S = [s q -2 — Sq-3, ~S q - 3 , So — 

Sq— 3) • • • > S q — 4 Sq_ 3], S = [Sq— 3 Sq— 4, Sq—2 S q — 4, . . . , Sq — 5 Sq_ 4], and SO 

forth. In general 

U S = [Sq— a Sq—a—l, Sq— a +l Sq— a — 1 , Sq_ a _|_2 Sq— a — 1 . . . , Sq— a —2 Sq— a— l] (5) 

Where all but one of the terms is a difference of two subshares, this term which 
is not the difference of two subshares is the a — 1 st term and is the negative of the 
subshare Sq_ a _i. Further observe that when considering all positive terms of the 
difference each one of the original subshares occurs once, except for the subshare 
s q - a - 1 (which is the negative term for all the differences). Extend the definitions 
of the subshares s,. by defining s q = so, and for any integer i, s, = s, moc i q . Due 
to space, we have omitted many of the proofs to our results. 

Theorem 6. To compute u a Si requires 0(n) additions and 1 inverse within the 
group 1C. 

In an effort to develop symmetry we will define an artificial subshare s q - 
We are only creating this artificial subshare to illustrate a property concerning 
cyclotomic polynomials applied to s. In order for our computations to remain 
correct there is only one choice for Sq_i, we define Sq_i=0 for all participants. 
Now consider the effect of our definition of Sq_i, we have u°s = [ s q - a — 

Sq—a— 1) Sq— a+1 Sq_ a _ 1, Sq_ a +2 Sg_ a _ 1 . . . , S q — a —2 S q — a _ l] , where the j ^ 

term of u a s is s q - a+j - Sg_ a _i. Then Sq_j - csti, £J=o Sq- i+1 - 

CSti, X^j=0 Sq-j+2 - csti, ■ ■ ■ , Y?j = o Sq-j+q- 2 — CSti] where csti = S}=0 Sq- 1-j- 
(Observe that in our definition of csti we have included i — 1 additions, in reality 
there are only i—2 additions for the case for j = 0 recall that s 9 _i_ ; - = s q - 1 = 0.) 
If we represent a,s = [a' 0 , a[, . . . , a' q _ 2 ], then 

°0 = Sq— 0 + Sq— 1 H h Sq_(j_l) — CSti, 


a'j = sj + Sj_ i + Sj—2 H 1- - csti ■ 

Thus, for 1 < j < q — 2, 


a j — a j - 1 + s j - 1 s q-{i~o)- 


(6) 


Now observe that a' 0 = s q — s q -i = so — Sq_j. 

Theorem 7. To compute ctiS requires 0(n ) additions and 0(n) inverses within 
the group 1C. 
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We now consider the cost of computing ^-s. To this end, we generalize us to 
include the artificial subshare s g _i. So for all s we extend s by 

S = [s 0 , • • • , S5-2] = [so, • • • , Sq-2, 0 ]ext = [« 0 , • • • , «g-2, Sg-l]ext ( 7 ) 

Then for s= [so, . . . , s q - 2, s q - \} ex t, and any 6 £ Z, bs = [6so, . . . , bs q - 2, bs q -i] ext . 
Further, extend us = [s g _i - s g _ 2, so - s q - 2, . . . , s q - 3 - s g _ 2, s g _ 2 - Sg-2]ext- 
Notice that both 6s and us are the same as the true bs and us with a 0 appended 
at the end. 

Theorem 8. For all a, with 1 < a < q — l, u a s = [s g _ a — s g _ a _i, s g _ a+ i — 
Sq-a-l, S q -a+2 ~ Sg-a-1 • • • , «g-a-2 “ Sq-a-1 , «q-a-l “ Sg-a-l]ext- Thus the j th 
term, of u a s is s q - a+ j — s g _ a _i. 

Observe that for each x £ { 0 , . . . , q — 1 } there exists an integer i £ {0, — 1} 
such that x = iamodq. Of course if x = 0 then i = 0, otherwise i = xr a mod q, 
where we have used r a to represent the inverse of a in the field Z q . Next observe 
from the above theorem that if we represent u a s by u a s = [sq , .s'j , . . . , Sg_ 1 ] ex t, 
then s' x = s q - a -\-x ~ s q ~ a -i- Therefore s' ia = s q _ a +i a — s g _ a _ 1. Now observe that 
q — a= ( qa — a) mod q = (q — l)a mod q. Let e a € Z* such that e u o = q — 1 mod q. 
Then ( e a — l)a = q — a — lmodg. Hence s' x = s' ia = S( g _i) a+ j a — S( £a _i) a = 
S(g-l+i)a - S(e a — l)a = «(i-l)a ~ % a -l)«- 

Corollary 9 . For all integers j, with 1 < j < q— 1, u a ^s= [s® , s^ , . . . , s^ 5 2 i]ext, 
where s$ = S(j-j) a — s (e a -j)a- 

Theorem 10 . For all j, with 1 < j < q — 1 , fl + u a + u 2a + • • • + u JO )s = 
[60, 61, ... , b q -i] ext , such that bi a = Si a + J2x = 1 s (*-x)o — J2x = 1 s (e a -x)a- (Recall 
that e a = q — 1 mod q.) 

We make the following observations. Consider the 6* from Theorem 10 . First 60 = 
S0 + EU %-x)a-Ex=l s (e a -x)a- Next 6 a = Sa + Ei=l s (l-x) a -Ex=l S (e a -x)a = 
bo + s a — S(_j) a . In general 


b(i+\)a — bia + S( i+ i) a - (8) 

Also observe that for all i, 

0 < |6j a | < q ■ max |sj|. ( 9 ) 

Theorem 11 . For each a and x, with 1 < a, x < q — 1 it requires 0(n) addi- 
tions and Otn) inverses to compute -^-s. R also requires 0 (nlog 2 n) elemen- 

Oi a 

tary operations. (The elementary operations cost represents the time required to 
increment ia for i = 0 , . . . , q — \.) 
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Regarding shareholder computations, we have not referred to the arithmetic 
operations as “arithmetic operations in the group JC” . The shareholder may 
not be given enough information concerning the group 1C to perform arithmetic 
operations in K. (For example in threshold RSA the group is Z $(n)- I n this 
case (f(N) cannot be revealed to any shareholder, otherwise they can compute 
the secret key d.) The shareholder can perform the arithmetic operations as 
integer operations. The cost of an integer addition is equal to the logarithm of 
the maximum addend. 


Corollary 12. The cost for a shareholder to perform the required additions to 
compute ^-s is 0(n ■ log 2 ( 1< Pff*_ 2 Si)) . V s tfte original share dealt to the 
shareholder and we are implementing the scheme to perform threshold RSA then 
this cost is 0(n log 2 <j>(N)). 

Observe that if s was the shareholder’s original share then the subshare of 
is bounded by —q<j>(N) to qcj){N) (as stated by equation (9)). Hence a 
bound on the size of such shares would be \og 2 {q<f{N)) = log 2 q + log 2 <f>(N). 
If one successively applies two distinct cyclotomic polynomials of the form 
to an original share s then the bound on resulting shares would be —q 2 (j){N) 
to q 2 (j){N). Thus if one applies a product of t — 1 cyclotomic polynomial to an 
original share, the bound is — <f t_1 #(iV’) to q t - 1 (p{N). 

We are now ready to describe an alternate way a shareholder may compute 
their partial result (signature). We will refer to this as Method M. . Method M. 
requires less computational time in comparison to the method developed in [15], 
which we will refer to a Method A. 


Theorem 13. Shareholder Pi needs to perform 0(nt) integer additions to com- 
pute yi t BSi . In addition, the shareholder will need to perform 0(tnlog 2 n) ele- 
mentary operations. 

Proof. In [15], it was established that y-iji = [[mb ~aP~r Then y t jss = 

^ K ~ s - For eac h h e B, h ^ i, , where x = 

rh-ihmodq. Consider 





(10) 


This represents t — 1 successive applications of a cyclotomic polynomial to a 
share. To give a definitive cost we will assume we are performing threshold RSA 
then the cost is 

cost = q log 2 <p(N) + q(\og 2 {q<j){N)) 4 f <?(log 2 (g t_2 <£(A0) 

= 0(q(t 2 log 2 q + t log 2 <f>(N)) 

= 0{nt{t log 2 n 4- log 2 <t>{N)). 

We then need to apply to equation (10), this cost is n integer additions 

which costs n • (log 2 (<7 t- V(A0) which is 0(n(tlog 2 n + log 2 <p(N)). Overall this 
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cost is 0(nt( log 2 n + log 2 0 ( TV ) ) . The cost of integer operations can be charac- 
terized as follows: (t — 1) inverses in Z* need to be computed, i.e. rh i, (t — 1) 
multiplications need to be computed, t incrementations in Z* by a ia for a = h—i. 
This cost can be measured as 0(t( log 2 q) 2 + t(log 2 q) 1 + tq log 2 q) = 0(nt log 2 n). 

There is one more step that the shareholder must perform and that is to expo- 
nentiate the zero th term, i.e. m Fo ^ Vi ’ B3i ' > (we are assuming a signature scheme). 
Since the size of the coefficient is bounded by — 0 _1 (^(AI) to g t-1 </>( N), this cost 
is 0((tlogn + log(j)(N))(log N) 2 ). 


Shareholder’s computations 



Method A [15] 

Method M 

Time to compute 
a partial share 

nt(t log n + log n log <f>(N)) 

nt(t log 2 n + log 2 

Time to 
exponentiate 

(' t log n + log <j>(N) ) (log N ) 2 

(■ t log n + log (j>(N) ) (log N ) 2 


Method M. reflects the cost of nt additions, similar to the approach discussed 
in Theorem 1. However our method is 1/n of the amount of time required by 
Theorem 1. Method M. is always superior to Method A. However it maybe 
that the most time consuming operation is the exponentiation which in both 
methods costs the same amount of time. Note that the nt 2 log 2 n of Method A (in 
“compute a partial share”) represents the cost of computing y h m The nt 2 log 2 n 
of Method M represents the cost of incrementing and other Z 9 operations. The 
nt log n log 0{N) of Method A (in “compute a partial share” ) represents the cost 
of the group operations and nt log of Method M represents the costs of 

group operations. Thus we see that the improvement in time (when comparing 
our method to Method A) is a factor of log 2 n. 

4 How a Distributor Computes the Shares 

A distributor knows enough information concerning the group 1C, to perform 
additions in the group /C. 

Theorem 14. The cost for a distributor to perform the required additions to 
compute ^-s is 0(n ■ log 2 (|/C|) and 0(nlog 2 n) elementary operations. If s 
is a share dealt to the shareholder and we are implementing the scheme to 
perform threshold RSA then the cost for the distributor to compute is 

0(n log 2 <j>(N)). 

The following is a simple result which we use later. 

Corollary 15. If the distributor applies two cyclotomic polynomials to a share 
dealt to a shareholder then the cost of performing the additions is 0(n log 2 (^(AI)). 
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Theorem 16. For a distributor to compute yi t BS. The distributor needs to per- 
form 0[nt) additions in the group K. In terms of threshold RSA, the cost is 
0(nt log 2 (j)(N)). In addition, the distributor will need to perform 0(tnlog 2 n) 
elementary operations. 

We are ready to describe how the distributor can compute all the shares si,.. .,s n . 
There are two alternatives. As we will establish, the second alternative is the 
preferred method. 

4.1 Distributor-Method 1 

Recall that the shares si, . . . , s n can be determined by randomly selecting vec- 
tors Ci, ... , c t ~ i from K q ~ x and apply the representation given by equation (3). 

Then for all i, s* = fc+cqci H . Observe that we can apply Horner’s 

algorithm, and we get 

si = Oi {■■■ OLi (oLiCt - 1 + c t _ 2 ) b ci) + k (11) 

Theorem 17. To compute Si using equation (11) requires t multiplications of 
an oti to a vector and t additions of vectors. The cost of Homer’s algorithm to 
compute the shares for threshold RSA is 0(tn 2 log 2 (t>(N )). 

Proof. Using Theorem 7 the cost of computing Sj is nt additions in Z^jy) , which 
is 0(nt log 2 <p(N)). The distributor need to compute all n shares. Hence a total 
cost of 0(tn 2 log 2 <j>(N)). 

4.2 Distributor-Method 2 

Recall the following manner in which a distributor may distribute shares. The 
distributor selects t— 1 random shares si, . . . , St-i ■ The remaining n — t shares 
are computed using equation (1), therefore 

s i = yi,Ci k - ^2 ( 12 ) 

jeCj 

where t < i < n and Cj = {1, 2, . . . , t — 1 , «}. 

Observe that to compute s t (for i = t,. . . , n) we need to compute ^ or 
j = 1, . . . ,t — 1, and y~c ■ Equation (12) illustrates how a combination of the 
secret is salted with randomness 2fc~ s :i" ( reca H that in this 

distribution method, si, . . . , s<_] are random vectors) to form the share s t . 
Lemma 18. For each i,j and B, = —yj-i,B’(j,i), where = {— i) U 

{h-i:heB,h^i}. 

Observe that to compute reduces to computing a y*,**s. Note that this 
ratio will need to be determined by the distributor (t — l)(n — t) times, where 
B = Ci. 



Improved Methods to Perform Threshold RSA 369 


Lemma 19. For all i and all i € B, y i ^ 9* =,y-i t B"(i), where B"(i) = 

{-i}U{h-i:heB,h^i}. 

Observe that to compute reduces to computing a y*.**s. 

Lemma 20. For alii € {1, • • • , t — 1} and t < j <n 

Vj+hCj = u i-(t- 1) at-i-jCXj-j Vj,Ci 

Vi,Ci otj+ioii-i-j y iiCi 

The table below, together with Lemma 20, illustrate how a distributor can com- 
pute successive ratios of ’s by starting in upper left hand corner and moving 
to the right, using the previous entry together with the product of two cyclotomic 
polynomials and atitoa power. 



1 


t~ 1 

t 

t + 1 

yi,c t 

yt,c t 

yi.c t+ t 

3/2 ,C t+1 

3 h,Ci 

y^c t+1 

3/t-l.Cj 

Vi.Ci 

yt-i,c t+1 

yt+i,c t+1 

yt+i,c t+1 

yt+i,c t+1 

n 

3/1, C„ 

Vn.Cn 

3/n,C„ 

yt-i,c n 

Vn.Cn. 


(13) 


From Lemma 20 we see that from the product of two cyclotomic polynomials 
Vl C 1J2 C ■ 

and a u to a power applied to * generates — — . Similarly, the product 

MM Vi.Ci 

of two cyclotomic polynomials and a u to a power applied to generates 

yi,Ci 

'l—i. an d so on. For each i.j with 1 < j < t — 1 and t < i < n, define 

Vi,Ci 

,_*_1 Ott-l-j <*i-j ™ 


yi,Cj _ mid* 

Vi,Ci * Vi,Ci 


2/3, Cj 
Vi,Ci 


yj,Ci = Vj-hCi 
y%,Ci %3 Vi,Ci 


yi,Ci 
a 

yi,Gi 


For the distributor to compute s, (/• < i < n), they must compute two parts, 
one they must compute y^gk. (By Lemma 19, this has cost 0(nt log (p(N) + 
nflog 2 n).) Also, the distributor must compute ]Tj=i The distributor 

can compute 




370 Brian King 


Now note that the time to compute 7 ^ times a share is equivalent to applying 
two cyclotomic polynomials on a vector then apply u to a power times a share. 
By Theorem 6, Theorem 14, and Corollary 15, the cost is 2 n log + 2 n log n = 

0(n (log n + log <j>(N)). There are t — 1 of these multiplications by a 7** to com- 
pute. In addition, there are t — 1 vector additions to be performed. The total 
running time is 0(tn(logn + + tnlog<f)(N)) = 0(tn(logn + Then 

we must perform a yi,c t to this resulting vector. This cost is 0(tn(\ogn + rp(N)). 
Thus to compute this portion of s, has cost 0(tn(\og n + (p(N)). To com- 
pute y^Q.k is 0{nt\og 2 (j){N) + nt log 2 n) . To compute both portions has cost 
0(tn(logn + <j>(N)). 

Now the distributor has to compute s t , . . . , s n . Altogether, to compute all 
n — t shares has a total cost of 0(tn(n — f)(logn + <j>(N)). 


Distributor’s computations 



Method A 
[15] 

Method 1 
(Horner) 

Method 2 

Randomness 

required 

(t-l)(q-l) 

(t-l)(q — 1) 

(t~ l)(q- 1) 

Time to compute 
remaining shares 

nt 2 (n — t)x 
log 2 nlog 2 j>(N) 

tn 2 x 

iog 2 m 

tn(n — t) x 
(log 2 (t>(N) + log 2 n) 


When nlog<))(N) < (n — t) (log cj)(N) + log n), Method 2 performs better than 
Method 1. Although we omit the lengthy argument, the addition of log 2 n in 
Method 2 can be dropped, if one wants to store previously computed ia’s. This 
is achieved with a large memory cost. 

5 Comparison with Other Schemes 

Comparing Method M. with Method A, we have seen that in terms of Shareholder 
computations, Method M. always performs better or the same than Method A. 
Regarding Distributor computations Method M. always performs better than 
Method A. 

Similar to what was done in [15], we compare the performance of Shoup 
signature scheme [20] with the Desmedt-Frankel scheme using our method. Re- 
garding Shareholder computations, there are various cases to consider. It is clear 
that Method M is superior to Shoup’s scheme (regarding Shareholder computa- 
tions) when (t log 2 n + log 2 <j>(N))( log 2 N) 2 > nt(t log 2 n + log 2 <j>(N)) Regarding 
Distributor computations, Method M. is superior to Shoup’s scheme whenever 
(log 2 ( t ) (N)) 2 > (n — f)(log 2 n + log 2 ^>(lV)). Thus in many cases the Desmedt- 
Frankel scheme performs better than other threshold RSA signature scheme. 
This scheme still has disadvantages, in that it has large shares and it requires a 
large amount of randomness for the distributor to compute the shares. Shoup’s 
scheme, like the schemes by Rabin [17] and Frankel, Gemmel, Mackenzie and 
Yung [12], may perform worse than the Desmedt-Frankel scheme, because they 
utilize a technique of exponentiating to a large exponent, an exponent greater 
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than n!, rather than using expanded shares. Whereas in the Desmedt-Frankel 
scheme the largest the exponent can be is q t (j){N). In reality rf d>(/V) is an upper 
bound and is dependent on the i and B. In many cases, the exponent will be 
much smaller. We do note that threshold schemes like [12] have other benefits 
that the Desmedt-Frankel scheme does not possess. 



Shoup’s scheme 

Desmedt-Frankel scheme 
Method M 

Size of share 

1 

n 

Shareholder 
time required 

(n log 2 n + log 2 <f>(N))x 
(lo g 2 N) 2 

max{nt(t log 2 n + log 2 
[t log 2 n + log 2 0(IV)](log 2 N) 2 } 

Distributor 

randomness 

required 

t - 1 

(t — l)0{n) 

Distributor 
time required 

nt{ log 2 <t>(N )) 2 

nt(n - t)(log 2 n + log 2 <j>(N)) 

Combiner 
time required 

(t + log 2 a + log 2 b ) x 
(log 2 N) 2 

t( l°g 2 N) 2 


6 Conclusion 

We have described algorithms which effectively speed up computations in the 
threshold RSA scheme developed by [4]. We have pointed out that there are many 
occasions when the Desmedt-Frankel scheme will perform better than “efficient” 
schemes. However, our work has not reduced share size nor the randomness 
required. It is ironic that with a large share, computations may be maybe smaller 
than schemes with small share size. In the end, in most threshold examples, it 
is response time, i.e. time required for the shareholder to respond to a signature 
request, that is most important. Further, we point out that although shares 
are large, the partial signatures sent to the Combiner are the same size as an 
RSA signature. If the distributor has enough random resources, it appears that 
the remaining computations is comparable (or better) than distributor work for 
other threshold schemes. Lastly the Combiner’s amount of computations within 
the Desmedt-Frankel scheme, are less than or equal, to the Combiner’s work in 
Shoup’s scheme. 
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Abstract. In a recent Stanford Law Review article, Ayres and Bulow [1] 
propose a radical anonymity-based solution to disrupt the “market” for 
monetary influence in political campaigns. To realize their proposal, we 
propose new cryptographic protocols for commital deniable proofs and 
deniable payment schemes. 


“[Tjhere is little reason to doubt that sometimes large contributions will work 
actual corruption of our political system, and no reason to question the existence 
of a corresponding suspicion among voters. ” 

- U.S. Supreme Court Justice David Souter, Nixon v. Shrink Missouri Govern- 
ment PAC, Jan 24, 2000. 

“[Spiritually] lower than this is one who gives to the poor in a way that the giver 
does not know to whom he is giving and the poor person does not know who he 
took from. Lower than this is where the giver knows who he is giving to and the 
poor does not know who he is receiving from. Lower than this is where the poor 
knows who he is receiving from but the giver does not. ” - Maimonides, Laws of 
Gifts to the Poor 10:7-14, 12th Century. 


1 Introduction 

The success of political candidates in U.S. elections depends critically on the 
amount of money they can spend on their campaign. Candidates may thus be- 
come vulnerable to influence buying by wealthy citizens, corporations, or Politi- 
cal Action Committees (i.e., groups that are able to raise and bundle significant 

* Work on this paper was done while author was at Xerox PARC. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 373-387, 2000. 
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amounts). Influence buying can range from simply buying time with the can- 
didate, to buying the opportunity to express opinions on particular political 
issues, to outright quid pro quo corruption where political positions are traded 
for donations. Candidates may also extort donations from potential donors, by 
threatening them with punitive treatment or indifference. The potential for po- 
litical corruption has led to regular attempts to reform the system of campaign 
finance. Mainstream proposals include mandated disclosure of campaign dona- 
tions (to expose suspicious correlations between the candidate’s positions and 
the donors’ interests) and limits on the amount of donations. 

Ayres and Bulow [1] propose a more radical approach to disrupt the “market” 
for monetary influence. Any donor can contribute any amount to any candidate’s 
campaign, but must not be able to prove to the candidate that he made a dona- 
tion. Since a true influence buyer has no more credibility than a fake influence 
claimer, potential influence buyers have no incentive to actually make a con- 
tribution. Furthermore a candidate who tries to extort donations (or “launder” 
funds through phony donors) has no way to verify that the extorted party in fact 
followed his blackmailing. We refer the reader directly to [1] for a more detailed 
discussion of “mandated donor anonymity” and its consequences, constitution- 
ality, and political feasibility. 

To implement their proposal, Ayres and Bulow offer only a trusted third party 
design called the “Blind Trust.” All donations are made through the Blind Trust, 
which has a policy of never revealing the identity of the donors. This complete 
reliance on a trusted third party is unsatisfying. Moreover, if donations to the 
blind trust are made by check or other traditional payment mechanisms, then 
external paper trails and bank records could later be used by the donor to prove 
to a candidate that a certain donation was made. 

We view this as a cryptographic problem. In this paper, we will introduce the 
problem of deniable electronic payment mechanisms, and show how they can be 
applied to the mandated donor anonymity problem. Our proposal is practical, 
and improves on the original Blind Trust of Ayres and Bulow in several critical 
aspects. 

Most importantly our protocol achieves verifiability: although donations are 
deniable it can still be publicly verified that no donations were withheld from 
the candidate. To achieve this we introduce the notion of commital deniable 
proofs and show that every statement can be proved in a commital deniable 
way. Commital deniable proofs allow a player to prove knowledge of certain 
decommitals that satisfy a predicate, without revealing which commitments he 
is using. Later, given witnesses to any decommitals that satisfy the predicate, 
he can later claim that these were the ones used to produce the proof. This 
fairly general construction seems to be applicable in many situations in which 
provability and deniability should be combined. Our protocol builds on ideas 
of Cramer and Damgard [12] for efficient zero-knowledge proofs, which in turn 
builds on ideas of Cramer, Damgard, and Schoenmakers [13]. In essence, we show 
that these earlier protocols have our new property of commital deniability. 
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We also elaborate on the differences of anonymity and deniability for payment 
schemes and show how the basic Chaumian ecash system [11] can be made 
deniable. Although the deniability properties of this variant of Chaumian ecash 
are not strong enough to give a solution to the campaign financing problem it still 
offers stronger privacy protecting guarantees than “solely” anonymous ecash as 
it allows payers to convincingly lie about how they spent their electronic money 
under coercion, which may be of independent interest. 


1.1 Organization of the Paper 

In Section 2 we describe related work. In Section 3 we state the requirements and 
assumptions for the donation protocol. In Section 4, we give definitions and pro- 
tocols for commital deniable proofs. In Section 5, we show how to use commital 
deniable proofs in a deniable payment scheme. In Section 6, we elaborate on the 
similarities and differences of anonymity and deniability for payment schemes. 
Conclusions are given in Section 7. 

2 Related Work 

The previous discussion motivates the design of a payment mechanism that 
protects against the “adversarial” behavior of 

1 . A donor who wishes to prove to a candidate that he made donation. This in- 
fluence buying donor is an example of a self-coercing adversary. If a protocol 
protects against this attack, we say that it is “receipt-free” for the donor. 

2. A candidate who tries to extort contributions from a donor, or tries to extract 
information from the trust. If a protocol protects against this attack, we say 
that it is “incoercible” for the donor or trust. 

Our deniable payment protocol will be receipt-free for the donor, and in- 
coercible for the trust. There will be other requirements as well, e.g., public 
verifiability for the trust. This is all discussed in more detail in Section 3. 

A scheme for “deniable encryption” was introduced by Canetti et al. [7]. 
Consider encryption to be a one-round, one-message protocol from the sender 
to the receiver. Consider deniability with respect to the message that was en- 
crypted, i.e., a coercer who saw the ciphertext wants to know what plaintext 
was actually encrypted and sent. They use the term “sender-deniability” (or 
“receiver-” or “sender-and-receiver-” ) for what we are calling incoercibility. They 
give a solution to these problems which require that the size of the ciphertext is 
linear in 1/8 , where 8 is the probability that the adversary can distinguish the 
real plaintext-plus-coinflips of the sender from the phony plaintext-plus-coinflips. 
Canetti et al. also consider a setting they call “flexibly deniable encryption” . In 
this setting the sender chooses the fake message already before encryption. They 
give a good solution for this case. Intuitively, our notion of commital deniability 
can be said to lie somewhere between deniability and flexible-deniability. Canetti 
et al. do not consider receipt-freeness. 
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Building on the primitive of deniable encryption Canetti and Gennaro [9] 
show that any function can be securely evaluated in an incoercible way, i.e. the 
parties can lie about their inputs to the secure function evaluation under external 
coercion. 

Even if one does not care about efficiency the problem with applying these 
incoercible protocols to the campaign donation problem is that they are not 
receipt-free, i.e. a self-coercing adversary can still prove what his input was. The 
well known reason (see [4,5]) is that the ability of a party to lie about its input 
relies on its ability to produce fake random coin flips that were used for the 
(probabilistic) encryption of the input. Thus a party who commits itself to the 
used randomness by choosing it as the output of a hash function lost its ability 
to lie and can thereby prove what its input was. 

Nevertheless, incoercible protocols can be useful for the design of receipt-free 
protocols. We use the commital deniable proofs to ensure public verifiability in 
our protocol. The protocol is still receipt-free for the donors. 

Benaloh and Tuinstra [4] initiated the study of receipt-freeness and inco- 
ercibility for secret ballot election schemes (see also [18,16,17,15]). To achieve 
incoercibility these protocols typically have a “voting booth” (or make other 
physical assumptions) that guarantee that the voter is isolated from the coercer 
for one phase of the voting protocol. In principle every receipt-free or incoercible 
voting scheme can be mapped into a deniable payment scheme. Each potential 
contributor registers as many times as he likes, paying one unit of cash for each 
vote. The contributor later casts as many of these votes as he likes to contribute 
to a particular candidate. The voting authority moves cash to candidate ac- 
counts according to the outcome of the election. Our efficient deniable payment 
scheme is based on different principles than the previous ones for receipt-free 
and incoercible voting which use homomorphic encryption, Mixnets, or blind 
signatures. 

Canetti and Ostrovsky [10] consider multiparty computation where all par- 
ties may diverge from the protocol as long as they can do so undetectably. They 
distinguish the cases of globally-honest-looking and locally-honest-looking mis- 
behavior, i.e., whether any party’s deviation is undetectable by all parties or by 
any one party. The problems they face are similar to the problems of defending 
against a self-coercing adversary. 


3 Requirements and Assumptions 

Before describing our solution, we discuss the requirements and assumptions, 
and point to some of the potential problems one runs into when designing a 
deniable payment mechanism. Let’s first restate the main requirement for our 
protocol: 

Req. 1: Receipt-Freeness for the Donor: A donor should not be able to 
prove to the candidate that he made a donation. 
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If we want to avoid the cumbersome necessity of a physical donation booth, 
in which the donor drops his dollars into a donation box we have to allow for 
mechanisms for remote donations. This creates potential problems that have 
been recognized in remote voting systems: a coercer may look over the voter’s 
shoulder while he casts his ballot. This applies even more so to a donation 
system: Candidate and donor can always get together while the donor writes the 
check or initiates a payment with electronic cash. The effect of this behavior in 
the donation setting is potentially very effective as a few donors may already 
account for a large total sum of donations (in contrast to remote voting in a 
large scale election where it is much less feasible “to watch over the shoulder” 
of a sufficient number of voters to influence the outcome). This includes attacks 
where a donor tries to prove a donation was made via covert timing channels in 
the financial system. For example a donor could announce to the candidate that 
a specific amount is about to be contributed. 

A way to defeat this kind of attacks is to give a donor the ability to cancel his 
donation. To enable the donor to send cancellation messages for his to donation 
to the blind trust we make the physical assumption of the availability of an: 

Ass. 1.: Untappable Channel: The donor has the ability to send one (unno- 
ticed) message to the trust via an untappable channel in some time window 
(e.g., two weeks). 

This assumption seems to be well implementable in real life systems. Note 
that the trust could set up various channels to receive cancellation messages, 
e.g., via (anonymized) email, the phone system, postal mail ... It seems realistic 
to assume that not all of these channels are under the control of parties colluding 
with a candidate. 

Thus the first main ingredient to achieve receipt-freeness for the donor is to 
allow for (possible) overpayment via cancellation. 

To ensure the overall correctness of the deniable donation process we require 

Req. 2: Verifiability: It can be publicly verified that the trust paid out no less 
money to the candidate than if it would have followed the protocol honestly. 

Note that accountability is an important feature to ensure the overall trust- 
worthiness of a deniable payment mechanism. As individual payers must not 
have individualized receipts and as, e.g., in our campaign finance application 
large sums of money may be involved, the system would else become a lucrative 
target for insider attacks that may be hard to detect. 

In our protocol each cancellation message consists of a secret that is sent by 
the donor to the trust. For public verification the trust will construct a proof of 
how many secrets it has learned in the cancellation phase. (The proof does not 
reveal which secrets the trust has learned). Once this proof has been publicly 
verified there is no longer a need that it can be derived from the trusts records 
which the actual secrets were that the trust has learnt. This should allow to 
secure the trust against later coercion attempts (e.g., by a curious and powerful 
politician after he has been elected). A simple, but reasonable solution to achieve 
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this is that the trust “forgets” which secrets it has learnt during the cancellation 
phase, i.e. it erases all its corresponding records. 

Note that however reliable erasure of records in the presence of multiple op- 
erators seems to be hard to ensure. (To realize the untappable channel in our 
system records will e.g. be received by parties operating phones, postal mail and 
email). The alternative solution we suggest is based on deniable proofs of knowl- 
edge. It is no longer vulnerable to the revelation of accidentally or intentionally 
kept copies of the revealed secrets. Accidental or coerced revelation of a record 
after the deniability phase of the protocol does no longer prove anything. 

To ensure this deniability property of the protocol it is sufficient that the 
trust makes sure that random bits used for the construction of the proof were 
in fact randomly chosen (and not e.g. as images of a hash function). 

Req. 3: Incoercibility for the Trust Without Erasure: There is a denia- 
bility phase in the protocol such that after its completion the honest trust 
cannot be forced to prove to anybody who the actual individual donors were 
or what the individually donated amounts were, even if the trust performs 
no erasures. 

We make the following assumption about the trust: 

Ass. 2: No Pre-Coercion of Trust: The trust is not coerced (or corrupted) 
up to the deniability phase. 

This assumption implies in particular that the trust itself does not collude 
with the candidate for whom it is collecting the donations. 

The following requirement is motivated by the fact that, e.g., foreign nation- 
als are not allowed to make donations to U.S. campaigns. Furthermore it should 
be prevented that money from criminal organizations is funneled to a candi- 
date, or that the deniable payment mechanism is abused for money laundering 
activities. 

Req. 4: Legitimacy of Funds: The candidate should only receive donations 
from “legitimate sources” . 

What exactly “legitimate sources” are is beyond the (technical) scope of this 
paper and may depend on the particular election situation. We assume that 
the legitimacy of the origin of (non-anonymized) funds can be determined by 
traditional means. 

4 Commital Deniable Proofs 

In this section we introduce the notion of commital deniable proofs. We show 
that every predicate has a commital deniable proof, using techniques of Cramer 
et al. [13,12]. That is, we show that the protocol from [12] has our new property 
of commital deniability. The protocol requires constant rounds and message com- 
plexity proportional to the size of the formula for the predicate. This protocol 
is a useful building block for our deniable payment scheme. 
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The general intuition behind our notion is that there is a predicate and a 
set of unconditionally hiding commitments. A party should be able to prove 
knowledge of certain decommitals that satisfy the predicate, without revealing 
which commitments he is using. Later, given witnesses to any decommitals that 
satisfy the predicate, he can later claim that these were the ones used to produce 
the proof. More formally, there is a faking algorithm that takes as input the new 
(claimed) decommitals, the old (actually used) decommitals, the transcript of 
the proof, and the coin flips of the prover during the proof. The output of the 
faking algorithm is a new set of coin flips that is consistent with the old transcript 
together with the new decommitals. 

Let zi,...,z n be boolean variables. A “boolean circuit” is a directed acyclic 
graph where every node has in-degree 0 or 2, and one node has out-degree 
0. A node with in-degree 0 is called an input node, and is labeled with some 
Zi or Zi (possibly repeated). A node with in-degree 2 is called a gate, and is 
labeled with OR or AND. The node with out-degree 0 is called the output node. 
Let E, I, G denote the edges, input nodes, and gates of a circuit. A “boolean 
formula” is a boolean circuit where no node has out-degree greater than 1. 
Let p be a sufficiently large prime. Let g and h have large prime order q in 
Z*, where the discrete log of h to the base g is unknown to all parties. Let 
Vi, j = g bi,j hri,i 1110 d P) where bij £ {0, 1} and £r Z q (unconditionally hiding 
boolean commitments). We say that is a “decommital” of ytj. 

In a commital deniable proof of knowledge for a language L both prover and 
verifier are given a formula <j> over n boolean variables and commitments {?/*. / : 
1 < i < k.l < j < n}. The prover knows decommitals {(bi*j, ri*j : 1 < j < n} 
for some i* such that (j)(bi* t i , ...,&!* *■) = 1. 

Definition 1. A proof system is called commital deniable if the following con- 
ditions hold: 

Completeness When executed with an honest prover P , an honest verifier V 
always accepts at the end of the protocol. 

Soundness There is a knowledge extractor such that if V accepts the proof then 
the knowledge extractor can find in polynomial time w.v.h.p. decommitals of 
yi t i, . . . , yi t n for some i that satisfy (j). 

Commital Deniability There is a faking algorithm F that takes as an input 
the real decommitals 6j*,i, . . . , 6»* >n , and the new decommitals 

bi\i,ri> t i , . . . , bi' tn ,ri' tn , where i* ^ i' or i* = i' are both possible, and where 
(j>(bi* t i, . . . , &i* jn ) = (j>(bi ' . . . , bi'^n) = 1. The faking algorithm is also given 
the transcript T of the proof protocol and the internal coin flips of the prover. 
The output of F is a new sequence of internal coin flips that make the (real) 
transcript consistent with the new decommitals. 

Theorem 1. Every formula has a commital deniable proof of knowledge. 

Prover and Verifier both know a boolean formula <j>, cryptographic parameters 
p, q, g, h, and boolean commitments {y%,j : 1 < i < k, 1 < j < n} for some k >2. 
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The Prover secretly knows {bi*j,Ti*j : 1 < j < n} for some i*. The Prover 
wants to demonstrate to the Verifier that </>({&*», j : 1 < j < n}) = 1, without 
revealing any useful information about i* or the satisfying assignment. 

1. Prover — > Verifier: {ui tV : 1 < i < k,v £ I}. 

2. Verifier — > Prover: c £r Z q . 

3. Prover —* Verifier: {c, : 1 < i < k}, {cj >e : 1 < i < k,e £ E}, {on tV : 1 < i < 
k,v £ I}. 

4. Verifier accepts if and only if the following: 

(a) c = Xi=i c i m °d Q- 

(b) Ci >ei +Cj >e2 = Ci.e 3 mod q for every internal OR gate with incoming edges 
ei, 62 and outgoing edge e 3, for every 1 < i < k. 

(c) c, >ei = c, >e2 = Ci.e 3 for every internal AND gate with incoming edges 
ei, e2 and outgoing edge e$, for every 1 <i<k. 

(d) If the output node is an OR gate with incoming edges ei, ei, then c^ ei + 
Cj,e 2 = c i m °d q, for every 1 <i<k. 

(e) If the output node is an AND gate with incoming edges ei,e2 then 
Ci t e 1 = Cj >e2 = Ci, for every 1 < i < k. 

(f) For every input node v £ I with label z t and outgoing edge e, = 

gh ai,v mod p, for every 1 < i < k. 

(g) For every input node v £ I with label z, and outgoing edge e, = 

h ai ’ v mod p, for every 1 < i < k. 

Claim 1: An honest prover can execute this protocol so that an honest verifier 
always accepts. 

Claim 2: This protocol is a witness indistinguishable proof of knowledge of a 
(^satisfying decommital of {y t] : 1 < j < n} for some i. 

Claim 3: This protocol is commital-deniable. 

Claim 4: The message complexity of the protocol is 0(#lk). (The last message 
from Prover to Verifier appears to have size 0(#Ek), but it was written this way 
for simplicity. In fact, all of the c,. e can be derived from {c,. e : 1 < i < k, e £ Ei} 
where Ei are the out-edges of input nodes.) 

Claim 1-4 yield Theorem 2. 

Proof of Claim 1: 

1. Prover prepares the first message to Verifier as follows: 

(a) Choose c* £r Z q for all i ± i*. 

(b) Choose c 7 . e £ Z q for all i 7^ i* and for all e £ E, subject to constraints 
4b-e, but otherwise drawn from the uniform distribution. 

(c) If input node v has outgoing edge e and label z :j \ 

i. Choose £r Z q for all i ± i*. 

ii. Compute Ui :V = (gh ai ' v /yi,j)~ Ci ’ e modp for all i / i*. 

iii. If bi*j = 0, then choose Cj», e , <*»*,„ &r Z q and compute Ui* tV = 
{gh 0 ‘ i *’ v /yi*,j)~ Ci *' e modp. 
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iv. If = 1, then choose Si* )V Gr Z q and compute m* >v = h Si *- v mod 
P- 

(d) If input node v has outgoing edge e and label z :j \ 

i. Choose a.i. v Gr Z q for all i ^ i*. 

ii. Compute m tV = {h a< - v /yij)~ Ci - e modp for all i ^ i*. 

iii. If bi*j = 1, then choose Cj» ie , cq*,i, Gr Z q and compute Ui* >v = 
(h ai *’ v /yi* j) _Ci *’ e modp. 

iv. If = 0, then choose Si*, v Gr Z q and compute Ui* tV = h Si *- v mod 
P- 

2. Prover receives challenge c from Verifier. 

3. Prover prepares his response to Verifier as follows: 

(a) Compute c,» = c — c * m °d 9- 

(b) Choose Ci*. e G Z q for all e G E for which this is still unassigned, subject 
to constraints 4b-e, and otherwise drawn from the uniform distribution. 
Note that this must be possible given that {b^j : 1 < j < n} is a 
satisfying assignment for <j>. 

(c) If input node v has outgoing edge e and label Zj, and b t *.j = 1, then 

compute mod q. 

(d) If input node v has outgoing edge e and label Zj, and b^j = 0, then 

compute ai* tV = + Si* >v Ci* te mod q. 

Proof of Claim 2: The proof follows from Theorem 8 of Cramer et al. [13]. 
Here the underlying secret sharing scheme is the dual of the Benaloh-Leichter 
scheme [3]. 

Proof of Claim 3: Given knowledge of {bi'j,ri>,j : 1 < j < n} for some i', 
Prover can compute s^ |V for every satisfied input node v with outgoing edge e: 
Si', v = c-v ,j ~ <*»>). (Here “satisfied” means that v is labeled with zj and 
bi'j = 1, or labeled with Zj and byj = 0.) This equation allows also to compute 
the needed for previously satisfied nodes v. Given these discrete logs, the 
Prover can fake the internal transcript for its computation as in the proof of 
Claim 1. 

Corollary 1: Claims 1-4 remain true when some of the boolean variables have 
a fixed assignment that is known to both the Prover and Verifier. Prover and 
Verifier simply replace <j> with a smaller formula that “hardwires” the assignment 
{bj : j G F}, and then proceed with the earlier protocol. 

Corollary 2: The protocol can be modified for the case where <f> is a boolean 
circuit but not a formula. This can be viewed as applying a standard transfor- 
mation to the circuit to convert it to an equivalent formula, and then executing 
the original protocol on the resulting formula. 

Corollary 3: When <f> = (z± V z±), then the protocol is a commital deniable 
proof of knowledge of a decommital for one of k committed bits. This can easily 
be modified into a commital deniable proof of knowledge for t < k committed 
bits, by modifying Verifier’s test (4a): All of the (i, Cj) should lie on a degree 
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k — l polynomial that passes through (0, c). It is this version of the protocol that 
we will need in the next section for our deniable payment scheme. 

Corollary 4: Consider the formula . . . , Xk, n ) = <t>(x 1,1, . . . , .ti. n ) V ... V 

(j>(xk, i, • • • , Xk.n)- Then our protocol can be viewed as a commital deniable proof 
of knowledge of certain decommitals of inputs to $ that guarantee that it is 
satisfied. Our protocol can be modified to allow a prover to demonstrate this 
for any sufficient subset of decommitals of any formula (instead of just the k 
partition subsets that we need for our applications). 

5 Our Deniable Payment Protocol 

In this section we will describe a protocol that allows a party to receive deniable 
payments. The protocol is practical. As in [1] we call this receiving party a Blind 
Trust and describe a five phase protocol how such a trust can be used to collect 
deniable donations for one candidate. 


5.1 The Protocol 

After an initial system setup phase, our protocol has five consecutive phases: (1) 
Pre-donation, (2) Cancellation, (3) Verification, (4) Deniability, and (5) Reim- 
bursement. 

System Setup: A trusted organization chooses a field F p such that G q is a 
cyclic subgroup of large prime order q of the multiplicative group of F p and 
that DLOG is hard in G q . Furthermore generators g, h of G q are chosen, s.t. 
log s h is unknown, p, q, g, h are made public. 

1. Pre-Donation: Every party Di, 1 < i < l who would like to make a (deni- 

able) donation of d* dollars to the candidate selects d, elements Gr Z q 
and di elements bij Gr Z% and computes ytj := g b ‘ 1 2 3 h ri ’ j . He transfers via 
a non- anonymous, payment mechanism that has receipts (e.g., checks) the 
amount of di dollars to the trust. He additionally sends the list of elements 
Vi,i ■ ■ ■ , Vi,di t° the trust. The trust verifies the legitimacy of the origin of 
the received funds by traditional means and enters the fact that party Di 
made a pre-donation of amount di and the elements i, . . . y t j t into a public 
database. Di checks that his predonated amount di was correctly entered into 
the database. (If this is not the case he can complain to a third a party using 
the receipt.) After the pre-donation phase is closed no further pre-donations 
are accepted. 

2. Cancellation: A donor who wishes to “cancel” an amount of c, < di dollars 

of his pre-donation sends a message to the trust that contains the quadruples 
(i,j,bij,rij), 1 < j < Ci . The trust stores secretly all the quadruples it 
receives during this phase. 

3. Verification: Assume the trust received k quadruples of discrete logs of el- 

ements in the database D during the cancellation phase. In the verification 
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phase the trust proves with a commital deniable proof of knowledge that it 
knows decommitals for k of the d := d\ I . . . b d/ elements in the public 
database. The trust makes a payment oid — k dollars to the candidate it col- 
lects the donations for. This uses the commital deniable proof of knowledge 
from the previous section, as modified in Corollary 3. 

4. Deniability: All donors are required to reveal their secret values bij , to 

the public. 

5. Reimbursement: In the reimbursement phase each donor who made a can- 

cellation can contact the trust and arrange for reimbursement, e.g., with 
electronic cash. Here it is important that a user undeniably identifies him- 
self to the trust (e.g., in a personal contact and with a picture I.D.) to 
avoid impersonation attacks of a blackmailing candidate who tries to check 
if actually a donation was made by trying to get reimbursed. 


Theorem 2. Under the assumption of an untappable channel and that the trust 
is not pre-coerced, the protocol is receipt-free for the donor. It is incoercible for 
the trust without erasure after completion of the deniability phase. Every system 
participant can verify that the candidate did not receive less money than what 
a trust following the protocol honestly would have paid him. Furthermore the 
money the candidate obtains comes from legitimate sources. 

Before giving the proof sketch we make several remarks. 

1 . As the protocol is receipt-free for the donor, it defends against a blackmailing 
candidate as well as against an influence buying donor. 

2. The receipt-freeness for the donor relies on the fact that he knows the repre- 
sentation of the elements he submitted during the pre-donation phase. Extra 
measures can be taken to assure this. E.g., if each donor holds a public/ se- 
cret key pair ( P K , Sk) (of which one is sure the donors know the secret key), 
the protocol could require that the donor’s additionally submit an encryp- 
tion of the representations under their public key and a ZK proof that they 
encrypted the correct value. These data are additionally entered into the 
public database. 

3. Using techniques from distributed cryptography [6,14] the trust can be dis- 
tributed over several agencies that cooperate in the execution of the protocol. 

4. As the donors and the values g b h r they submitted are publicly known they 
can be forced to reveal their secret values in the revelation phase by external 
means. 

5. Our cryptography based solution improves on the earlier physical imple- 
mentation of [1] which does not offer verifiability. There it was suggested to 
achieve some form of auditability by having the trust keep all the records 
that could later (e.g., 10 years after the election) be publicly audited. Be- 
sides the delay, record keeping has further disadvantages. It would make 
the agency vulnerable to coercion, e.g., by the candidate after he won the 
presidential elections. Furthermore sensitive information about which donor 
cancelled would be revealed in the auditing process. 
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6. Our protocol improves on the physical implementation of deniable donations, 
where a donor steps into a donation booth and drops dollar bills into a 
donation box, as this implementation does not offer verifiability. 

7. To minimize the information that can be derived about individual donations 
from the publicly known values d\, . . . ,di,k, parties who have an interest in 
a well functioning deniable donation mechanism can deliberately predonate 
and cancel. (Note that if, e.g., k were 0 it would be clear that each donor D t 
made an actual donation d n .) 

8. The complexity for construction and verification of the of the committal 
deniable proof depends linearly on the number of witnesses. Although this 
still seems to be feasible it requires significant computing power at the side 
of the trust and the parties that verify the proof. We think it would be 
interesting to improve the efficiency of the proofs (e.g., with probabilistic 
techniques) . 

9. Our protocol as it stands does not ensure that donors who cancelled get 
reimbursed. The trust may refuse to pay them. We sketch a variant of the 
protocol that prevents this: in the pre-donation phase donor Di sends a 
pair of commitments to values (bij,Vij) for his j’th donated dollar to the 
trust which enters these pairs into the public database. In the cancellation 
phase the donor cancels his f th dollar by sending as before (bi.j. rij) to the 
trust. Assuming the trust receives k decommitals it pays d — k dollars to 
the candidate. The reimbursement phase follows in this variant directly the 
cancellation phase. When Di obtains his j’th dollar back from the trust he 
reveals (v,j,Sj.j) in return to the trust (s<j is the randomness used when 
committing to Vij). In the verifiability phase the trust proves with a commi- 
tal deniable proof that it knows k out of the d pairs that were entered into 
the public database. Then follows the deniability phase where all donors are 
required to reveal their secret values bij,rij,Vi t j,Si t j. 

10. Our protocol does not protect against third party attempts (e.g., by a com- 
peting candidate) to force a donor to cancel his donation. 

Proof of Theorem 2 (Sketch) 

Under the assumption that the donor has an untappable channel he could have 
sent an unnoticed cancellation notice to the trust. In particular he can not prove 
to the candidate that he did not send a cancellation message to the trust. A 
donor could be coerced to cancel a donation, but not to make a donation that 
cannot be canceled later. This gives receipt-freeness for the donor. 

As the trust makes a sound proof of knowledge of k out of d representations 
during the verification phase public, and as the total amount of predonated 
funds d is publicly known, the trust can not pay less money out to the candidate 
than d minus the number of distinct secrets it received during the cancellation 
phase which proves public verifiability. 

As we assumed the trust is not pre-coerced. Thus in particular the “random” 
bits used to produce the proof of knowledge in the verification phase were in fact 
chosen honestly chosen at random. After the deniability phase is completed the 
trust can “open” his proof of knowledge as coming from any k elementary subset 
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of the secret values by the previously proved properties of a commital deniable 
proof. This shows that the trust is later unable to prove any more information 
about who the actual donors (resp. the donated amounts were) than what can 
already be derived from the publicly known values d\, . . . , di and k. As this holds 
even in the presence of accidentally or intentionally kept cancellation messages 
our protocol does not require erasure of cancellation messages. 

As the trust accepts only, non-anonymous pre-donations the legitimacy of these 
funds and consequently also of the funds that get paid out to the candidate can 
be determined. This concludes the proof. 

6 Deniability of Chaumian E-Cash 

6.1 An Incoercible Payment System 

In this section we study the deniability properties of anonymous electronic cash. 
We show how the basic anonymous ecash system can be made incoercible. De- 
niability can be seen as a much stronger privacy enhancing property than pure 
anonymity as it additionally preserves the privacy of payments under external 
coercion. 

We briefly review the protocol for Chaumian ecash [11]. The bank has gener- 
ated an RSA modulus N and a public/secret key pair (e, d). An electronic coin 
consists of a pair (x, h(x) d ), where h is a fixed hash function. During withdrawal 
the user A obtains a blind signature on h(x) from the bank: A picks a random 
serial number x and computes h(x). A picks a random “blinding factor” r and 
computes m = r e h(x). A sends m to the bank. The bank computes the RSA sig- 
nature m d on m and sends m d back to A. A computes r~ l 2 m d and has obtained 
an RSA signature on h(x). During payment the user sends the coin (x. h{x) d ) to 
the merchant who passes the coin on to the bank. The bank verifies the validity 
of the signature and that the coin has not been spent before. If both conditions 
are met the bank credits the merchant’s account with the corresponding value 
and enters the serial number x into its database of spent coins. 

A user could be coerced by the bank, or by the government to reveal how he 
spent the coin obtained during a particular withdrawal session. Thus in order to 
make this protocol incoercible a user has to be able to “open” the message m in 
a way that leads to a different coin than the one he actually withdrew. As the 
system is unforgeable, lying can not result in the presentation of a coin that has 
not in fact been obtained from the bank before. However we observe that a user 
can open the message m = r e h(x) he sent during withdrawal to come from any 
other coin (y,h(y) d ) he is aware of, as the following simple algorithm shows: 
FAKING- ALGORITHM: 

Input: r,h(x) d ,h(y) d 

Output: an element s , s.t. s e h(y) = r e h(x) 

Algorithm: 

1. Compute: s := r -^-. 

2. Output s. 
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Thus the only modification needed to make the Chaumian ecash system 
incoercible is to require that the bank makes a list of all spent coins ( x , h(x) d ) 
public. Under coercion a user could then choose any coin of this list to open his 
withdrawal transcript . 1 

This incoercibility protects the privacy of payments even in the presence of 
a later coercion attempt. Another interpretation of this observation is that the 
classical version of Chaumian ecash does not allow users to prove or disprove how 
they spent their coins under external coercion, say if they are under investigation 
by the police. 


6.2 Self-Coercion 

The protocol is quite ineffective against a self-coercing user. A self-coercing user 
can deviate from the protocol by choosing his blinding factor r not as a random 
value, but as the image of a cryptographically strong hash function H at a 
randomly chosen t. To prove now to somebody else that in fact a payment with 
a coin with serial number x was initiated by him, he presents his withdrawal 
record, the coin and the preimage t of the blinding factor r. He can no longer 
make his withdrawal record look like that of another coin, as this would require 
him to find a preimage of rh(x) d / h(y) d under H. (Note that even the knowledge 
of the secret key d of the bank does not seem to help to create withdrawal records 
that can be opened as two different coins as the serial numbers are also images 
of hash functions.) 

7 Conclusions 

In conclusion, it is possible to use cryptographic methods to implement the rad- 
ical campaign proposal of Ayres and Bulow. The building blocks of commital 
deniable proofs and deniable payment schemes are interesting in their own right, 
and may well find other applications. It would be interesting to find efficient deni- 
able versions for other cryptographic applications, e.g., for anonymous remailing 
where the traffic from the client to the mix is observed by a potential future 
coercer. 
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Abstract. Naor and Pinkas introduced metering schemes at Euro- 
crypt ’98 in order to decide on advertisement fees for web servers. In 
the schemes, any server should be able to construct a proof to be sent 
to an audit agency if and only if it has been visited by at least a cer- 
tain number, say k, of clients. This paper first shows an attack for their 
schemes such that only two malicious clients can prevent a server from 
computing a correct proof. We next present provably secure metering 
schemes. Finally, an efficient robust secret sharing scheme is derived from 
our metering scheme. 


1 Introduction 

In the Internet, the amount of money paid to a web server from an advertisement 
company for hosting an ads should depend on the number of clients which have 
visited the server. A metering scheme is a protocol which measures this number. 

We assume an audit agency as well as servers and clients. Any server should 
be able to construct a proof to be sent to the audit agency if and only if it has 
been visited by at least a certain number, say k, of clients during a certain time 
frame. It should be secure against fraud attempts by servers which inflate the 
number of their clients and against clients that attempt to disrupt the metering 
process. 

A naive metering scheme could be implemented by using digital signature 
schemes; each client gives a digital signature to a server which confirms his 
visit when the clients visits the server. A server can present a list of the digital 
signatures as a proof. This system is, however, not efficient: both the size of the 
proof and the time to verify it are of the same order as k. Naor and Pinkas 
showed much more efficient metering schemes at Eurocrypt ’98 [2]. 

This paper first shows an attack for their schemes such that only two ma- 
licious clients can prevent a server from computing a correct proof. We next 
present provably secure metering schemes, an unconditionally secure one and a 
computationally secure variant for multiple use under the computational Diffie- 
Hellman assumption. 

We finally derive an efficient robust secret sharing scheme from our uncondi- 
tionally secure metering scheme. In our robust secret sharing schemes, the size 
of shares is much smaller than those of the previous ones while the cheating 
probability is slightly larger. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 388-398, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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2 Model and Goal 

In the model of metering schemes, there exist clients (denoted by C»), servers 
(denoted by Sj) and an audit agency (denoted by A). Each Sj should be able to 
construct a proof to be sent to A if and only if k or more clients visit Sj during 
a certain time frame. 

Some clients and servers are malicious while the audit agency is honest. 
Assume that there exists an adversary which corrupts some clients and servers. 
Then our goal is to design metering schemes which satisfy the following two 
requirements. 

Security for servers Suppose that k or more clients visit a server Sj during a 
time frame t. Then Sj should be able to compute a proof with overwhelming 
probability even if the adversary corrupts all the clients and all the other 
servers than Sj . 

Security for the audit agency Suppose that less than k clients visit a server 
Sj during a time frame t. Then the adversary should not be able to compute 
a proof with nonnegligible probability even if the adversary corrupts k - 1 
clients and some number of servers. 

It will be shown that the metering schemes of Naor and Pinkas do not sat- 
isfy the security for servers for an adversary who corrupts only two clients. On 
the other hand, the proposed metering schemes satisfy both of the above two 
requirements. 


3 Metering Schemes of Naor and Pinkas 

3.1 Basic Idea 

The metering schemes of Naor and Pinkas are based on Shamir’s secret sharing 
scheme. First, suppose that there exist a single server and a single time frame, 
and all the participants are honest. Then their basic scheme is described as 
follows. The audit agency chooses a random polynomial f(x) of degree k - 1 
over GF(p). He gives each client C, a share f(i). When a client visits a server, 
it gives it its share. When the server receives k or more shares, he can compute 
/( 0) and it is the proof that he was visited by k or more clients. 

To accommodate many servers and many time frames, this scheme is gener- 
alized as follows. The audit agency chooses a random polynomial P(x, y) over 
GF{p) of degree k — 1 in x and degree d — 1 in y. He gives P(i, y) to each client 
C t . When client C, visits server Sj during time frame t, it gives P(i,j o t) to 
Sj. When S :j receives k or more shares during time frame t, he can compute 
P(0,jot) and it is the proof that he was visited by k or more clients. 

This scheme is one-time use because the size of keys is proportional to the 
number of time frames for fixed k and fixed number of servers. 
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3.2 Unconditionally Secure Scheme [2, Sec. 3. 3] 

Naor and Pinkas then proposed the following unconditionally secure scheme to 
make the above scheme secure against malicious clients and servers. This is a 
one-time use scheme as mentioned above. 

Initialization: The audit agency A chooses random polynomials P(x, y),A(x, y) 
and B(y) over GF{p) such that 
— P(x, y) is degree k — lm. x and degree d 1 in y, 

— A(x, y) is degree Cfc in x and degree c d in y, 

- B(y) is degree c d in y. 

A computes 

V(x,y) = A(x,y)P(x,y) + B(y), (1) 

It then sends ( V(i,y),P(i,y )) to Ci and (A(x,j o 1), . . . , A(x, j o T),B(j o 
1), . . . , B(j o T)) to Sj, where o denotes concatenation of two strings. 
Interaction between client Ci and server S :I : To get a service from server 
Sj at time frame t, client C.-, sends 

(P(i,jot),V(i,jot)) 

to Sj . The Sj checks if 

V(i,jot) = A(i,jot)P(i,jot) + B(jot). 

Sj offers a service to C, if the above equality holds. Otherwise, Sj rejects. 
End of time frame: If Sj has been visited by k or more clients at time frame 
t , it can compute P(0, j o t) from the received P(i,j o t). The P(0,j o t) is 
the proof that Sj has been visited by k or more clients at time frame t. A 
who received P(0,jot) checks whether it is indeed P(0-,j ° t). 

3.3 Computationally Secure Scheme [2, Sec. 3. 5] 

Naor and Pinkas further presented a computationally secure variant for multiple 
use under the computational DifRe-Hellman assumption. 

Let Z* be the cyclic group modulo p, and let g be a generator of a subgroup 
of Z* of order q, where q is a prime. 

Initialization: Similarly to the scheme of Sec. 3. 2, client Ci receives P(i, y) and 
V(i,y ) and server Sj receives A(x,j) and B(j). 

Beginning of a time frame: Each server receives a challenge h = g r from the 
audit agency, where r is a random number. 

Interaction between client C, and server S 3 : To get a service from server 
Sj , client Cj receives h from Sj and sends 

a,j = ih^X^Aj 

to server Sj . Sj accepts Cjj if and only if 

= mod p. 

End of time frame: Sj can compute h p ^°’^ if it has been visited by k or more 
clients. The (= g rP (°b)) i s the proof. 
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4 Attack for Naor and Pinkas Metering Schemes 

In this section, we show an attack for both of the Naor and Pinkas metering 
schemes. In our attack, two clients, one who has special share and the other 
is arbitrary, can prevent a server from computing a proof. In other words, the 
security for servers is not satisfied. We describe our attack for the unconditionally 
secure scheme. It works for the computationally secure scheme similarly. 

For some server Sj and some time frame t, suppose that there exists two 
clients C, 0 and C tl such that 


P(i 0 ,j°t) = 0 
P{h,j°t) t L - 0. 

Then, from Equation (1) they can compute B(j o t) and A(ii,j o t) as follows. 

V(i 0 ,jot) = A(i 0 ,j ot)P(i 0 ,j ot) +B(jot) 

= B{jot) 

A(ii,j o t) = {V{h,jot)-B(jot))/P{h,jot) 

= (V(i 1 ,jot)-V(i 0 ,jot))/P(i 1 ,jot). 

They next computes a random (P, V) such that 

P^P(hJot) 

V = A(i u jot) P + B(jot). 

Finally, Cq sends (P, V) to Sj at time frame t to get a service. Then Sj accepts 
(P, V) because eq.(l) is satisfied. 

However, at the end of time frame t. Sj cannot compute the correct P(0, jof) 
even if it has been visited by k clients because P 7^ P(ii,j o t) 

5 Proposed Unconditionally Secure Metering Scheme 

In this section, we present an unconditionally secure metering scheme which 
satisfies both the security for servers and the security for the audit agency. We 
assume that there are T time frames. This scheme is one-time use and the size 
of keys is essentially proportional to T. 

5.1 Proposed Scheme 

Initialization: The audit agency A chooses a key polynomial F(x,y,z ) over 
GF(p ) with degree 1 in x, degree d — 1 in y and degree k—1'va.z randomly. 
He also chooses a random element tj £ Z p \ {0} for each server Sj. Let 


Pi(x,y ) = F(x,y,i ) 
A t j (z) = F(r j ,jot,z). 
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He then sends a = Pi(x,y) to client and Sj = . . . , Aj(z), rj) to 

server Sj. 

Interaction between a client C, and a server Sj : To get service from Sj at 
time frame t, Ci sends 

4,j =Pi(x,jot) 

to Sj . The Sj checks if 

A j{i) = 

Sj offers a service to C, if the above equality holds. Otherwise, Sj rejects. 
End of time frame: Note that if Ci visits Sj during time frame t, then Sj can 
compute 

Pi(0,jot) = F(0,jot,i). 

Therefore, if Sj has been visited by k or more clients during time frame t, 
then Sj can compute F(Q, j ot,0). The F(0, j o t, 0) is the proof that Sj has 
been visited by k or more clients during time frame t. 

The audit agency A who received F(0,j o t. 0) checks whether it is indeed 
F(0,j o f, 0). 

The scheme is illustrated in Fig. 1. 



Fig. 1. Robust metering scheme 


5.2 Security for Servers 

In this subsection, we prove that the security for servers is satisfied for any 
infinitely powerful adversaries. 



Provably Secure Metering Scheme 393 


Theorem 1. Suppose that k or more clients visit server Sj during timeframe t. 
Then Sj can compute the proof F(0, jot, 0) with probability more than 1—1/ (p— 1) 
for any adversary who corrupts all the clients and all the servers other than Sj. 

Proof. Note that deg Pj(x,j ot) = 1. Now at least one client C t must send P(x) 
of degree 1 to Sj such that P{x) ^ Pj(x, jof) and P(rj) = Pi{rj,j ot) to prevent 
Sj from computing the proof. For any fixed P(x) such that P{x) ^ Pi{x,j o t), 
we have P{rj) = Pi(rj,j o t) with probability l/(p — 1) because rj is randomly 
chosen from Z p \ {0} and two lines intersect at one point. This holds for any 
adversary who corrupts all the clients and all the servers other than Sj because 
the adversary does not know rj . □ 


5.3 Security for the Audit Agency 

In this subsection, we prove that the security for the audit agency is satisfied for 
any infinitely powerful adversaries. 

Theorem 2. Suppose that less than k clients visit server Sj during time frame 
t. Then no adversary who corrupts d/T servers and k — 1 clients can compute 
the proof F(0,j ot, 0) for any j and t with probability more than 1/p. 

Proof. Let a s = d/T. Without loss of generality, we consider an adversary who 
corrupts a s servers <Si, . . . , S a , and k — 1 clients C±, . . . . Cfe-i ■ The adversary 
tries to forge a false proof F( 0, a s o T, 0) for server S as and the last time frame 
T. 

We assume that for any j < a s and any t < T such that j o f / a 8 o T, 
server Sj has been visited by k or more clients during time frame t. Then all the 
information that the adversary has are (a) the initial secrets of the corrupted 
clients, (b) the initial secrets of the corrupted servers and (c) the information 
that the corrupted servers received from honest clients, (a) and (b) are 

(a) F{x, y, 1), . . . , F(x, y,k— 1), 

(b) n, ...,r as and 

F(n, l o i,z), ...,F( Ta .-i 

F(r\, loT,z), . . . , F{r as -\ 

(c) is at most 

{F(x, jot,i) | for all / > k and for all jot such that j < a s and jot ^ a s oT}. 

Suppose that the forged proof is (3. For any value of /3, we will show that 
there exists a key polynomial F(x,y , z) which interpolates all the points of (a), 
(b), (c) and F(0,a s o T, 0) = ,6. This means that the probability that (3 is the 
correct proof is 1/p. 


.,(a s -l)ol,z), F(r as ,a s ol,z), 
,(a s -l)°T,z),F(r aa ,a s oT,z). 
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Note that F(x, y, z) has degree 1 in x. Let L asOT (x) be a line which interpo- 
lates F( 0, a s o T, 0) = j3 and F{r as , a s o T, 0), where F(r as ,a s oT, 0) is obtained 
from (b). Next we can compute F(0, jot, 0) from (c) for all jot such that j < a s 
and joi/a s oT. Let Lj 0t {x) be a line which interpolates F(0, j o t. 0) and 
F(rj,j ot,0), where F(rj,j of,0) is obtained from (b). 

Then we have d lines 


{Lj 0t (x) | j < a s and t < T} 

because a s T = d. Next note that F(x, y , z ) has degree d - 1 in y. Let B(x, y) be 
a polynomial of degree 1 in® and degree d — 1 in y such that B(x,jot) = L ?ot (x) 
for all j < a s and t <T. 

Finally, let F(x, y, z) be a polynomial of degree 1 in x, degree d—1 in y and 
degree k — 1 in z such that F(x,y, 0) = B(x,y) and F(x,y,i) = F(x,y,i) for 
1 < i < k — 1, where F(x. y, i ) is obtained from (a). 

We have to show that F(x, y, z ) = F( x, y, z ) for all the points of (a), (b) and 
(c). It is clear that the claim holds for (a). Next we prove the claim for (b). Fix 


j < a s and t <T arbitrarily. Then from our construction, it is easy to see that 
F(rj,j o t,i) = F(rj,j o t, i) for 0 < i < k — 1. Therefore, 

F(rj,j ot,z) = F(rj,j ot,z). (2) 

Finally, we prove the claim for (c). Similarly to eq.(2), we can show that 

F(0,jot,z) = F(0,jot,z). (3) 

From eq.(3), we have F(0, j o t,:i) = F(0,j of,*). From eq.(2), we have F(rj,j o 
t, i) = F(rj,j of, i). Hence, it holds that F(x, j o t, i) = F(x, jot,*). □ 

6 Proposed Computationally Secure Scheme 


In this section, we present a computationally secure variant for multiple use 
under the computational Difhe-Hellman assumption. 

6.1 Proposed Scheme 

Let Z* be the cyclic group modulo p, and let g be a generator of a subgroup of 
Z* of order q, where q is a prime. 

Initialization: Similarly to the scheme of Sec. 5.1, the audit agency A chooses a 
key polynomial F(x, y, z ) over GF(q ) with degree 1 in x, degree d— 1 in y and 
degree k — 1 in z randomly. He also chooses a random element r, £ Z q \ {0} 
for each server <S r Let 

Pi(x,y) = F(x,y,i), Ajp) = F(r jy j,z). 

He then sends Pi(x,y) to client C, and (A J {z),r J ) to server Sj. 
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Beginning of a time frame : At the beginning of time frame t, the audit 
agency A publishes a challenge h t = g Ut mod p, where u t is a random num- 
ber. 

Interaction between a client and a server: When client C, gets a service 
from server Sj at time frame t, he computes 

Pi(x,j) = a %t3 + b itj x, 
d\ 3 = Ut mod p 
e \ j = mod p 

He then sends to Sj. The Sj accepts ( d\ j,e\ j ) if and only if 

= dij(ei t j) r ? modp (= modp). 

End of time frame: Note that if C, visits Sj during time frame t, then Sj 
obtains 

d t i . = h ^ = h ^) = h n^i)_ 

Therefore, if Sj has been visited by k or more clients during time frame t, 
then Sj can compute by using Lagrange formula. The /if ^ 0, - 7, °) is 

the proof that Sj has been visited by k or more clients during time frame t. 
The audit agency A who received /if ^ 0,J ’ 0 ^ checks whether it is indeed hf ( 0,J, °) . 


6.2 Security for Servers 

In our scheme, the security for servers is satisfied for any infinitely powerful 
adversaries. 

Theorem 3. Suppose that k or more clients visit server Sj during timeframe t. 
ThenSj can compute the proof g u * F (°S$) with probability more than 1 — l/(g— 1) 
for any adversary who corrupts all the clients and all the servers other than Sj. 

Proof. Similar to the proof of Theorem 1. □ 


6.3 Security for the Audit Agency 

In this subsection, we consider probabilistic polynomial time adversaries who 
can corrupt d servers and k — 1 clients. 

Theorem 4. Suppose that there exists an adversary Mq who can compute the 
proof hf for some j and t with nonnegligible probability. Then there exists 
a probabilistic polynomial time Taring machine Mi which can solve the compu- 
tational Diffie- Heilman problem. 
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Proof. Without loss of generality, we assume that M 0 corrupts d servers Si,...,Sd 
and k — 1 clients C\, . . . ,Ck~ 1 , and then compute the proof h^°’ d ’ 0 ^ for server 
Sj, and time frame T with nonnegligible probability. 

Let the input to Mi be p,g,X(= g a mod p) and Y (= g@ mod p) . We will 
show that Mi can generate a view of the adversary Mo such that a = ut and 
(3 = F(0, d, 0). Then by using Mo as a subroutine, M\ can obtain 

h no, d ,0) = gUT F( 0,d,0) = g *f> 

with nonnegligible probability. This means that Mi can solve the computational 
Difhe-Hellman problem. 

The view of the adversary M 0 consists of 

(a) the initial secrets of the corrupted clients : Pi(x , y). ... , Pk-i(x, y), 

(b) the initial secrets of the corrupted servers : r\ ra and A\(z ), . . . , A<i(z), 

(c) the challenges : hi , . . . , hr, 

(d) the information that the corrupted servers received from honest clients. This 
is at most 

{(di.j.ejj) | for allf>fc and for all (j, t) such that j<d and (j,t)^(d,T)}. 
Now Mi generates (a),(b),(c) and (d) as follows. 

(a) Mi randomly chooses P\{x,y), . . . , Pk-i{x, y). 

(b) Mi randomly chooses ri,...,r <2 and A, (0), . . . , .4^(0). These determine 
Ai(z),. . . , Ad(z) because deg Aj(z) = k — 1 and 

Aj(i) = Pi(rj,j) for 1 < i < k — 1. 

(c) Mi randomly chooses ui , . . . , ut - i and let hi = g Ui for 1 < * < T — 1. Let 
h T = X. 

Finally, Mi generates the elements of (d) as follows. Mi has 

By slightly modifying the proof of Theorem 2, M\ can compute , 6, j) for 
j < d and (g ai ’ d ,g bi ’ d ), where 

o-i,j + bijx = Pi(x,j ) = F(x,j,i). 


Therefore, 

1. For j = d and t < T — 1, Mi can compute (d* d , e\ >d ) from (g ai - d , g bi ’ d ) and 

u t . 

2. For j < d and t = T, Mi can compute (dj ] , e A ) from hij) and X = 

g a =g UT - 

3. For j < d and t < T — 1, Mi can compute (df 3 - , e| j) from b it] ) and u t . 
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7 New Robust Secret Sharing Scheme 

7.1 Previous Schemes 

In a (fc, n ) threshold secret sharing scheme, a dealer distributes a secret s to n 

participants, V\ V„ in such a way that k or more participants can recover s 

and k — 1 or less participants have no information on s. A piece of information 
held by Vi is called a share and it is denoted by u*. 

In the reconstruction phase, Vi opens v t if he is honest. However, he may lie 
about Vi if he is a cheater. A secret sharing scheme is called robust if a cheater 
can be identified with overwhelming probability. 

Let S denote the set of secrets and Vi denote the set of possible shares of V-, . 
T.Rabin and Ben-Or [3] showed a robust (k, n) threshold secret sharing scheme 
(RB scheme) such that 

log 2 N = (3n-2)log 2 |5|. 

Carpentieri [1] showed a robust (fc, n) threshold secret sharing scheme such that 
log 2 \Vi\ = (2n + fc — 1) log 2 |£|. 

In these schemes, n • 1 cheaters cannot cheat an honest participant with prob- 
ability more than 1/|5|. 

7.2 Proposed Scheme 

In this section, we derive a new robust (fc, n) threshold secret sharing scheme 
from our metering scheme such that |V)| is much smaller than those of the 
previous schemes with slightly less cheater detection capability. 

In our scheme, 

l°g 2 |^»| — (2fc + 1) log 2 |<S|. 

and fc — 1 cheaters cannot cheat an honest participant with probability more 
than (fc — 1)/(|5| — 1). Note that it is assumed that there are at most fc — 1 
cheaters instead of n — 1 cheaters. This is, however, not a problem because any 
fc participants (cheaters) can recover the secret. 

Let p be a prime and let S = GF(p). 

Distribution phase: For a secret s £ GF(p), the dealer chooses a bivariate 
random polynomial over GF(p) such that 
fc- 1 fc-i 

F(x,y) = a imx l y m 

1=0 m = 0 

with F((). 0) = ooo = s. He also chooses n random elements r, G Z p \ {0}. 
Let 

Bi(x) = F(x,i ) 

Ai(y) = F(n,y), 

The dealer then gives Vi = ( Bi(x),ri,Ai(y )) to the participant P». 
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Reconstruction phase: Each Vi opens Bi(x). Each other Vj accepts B, (x) if 
and only if 

Bi{rj) = A^i). 

Note that k or more correct £?*(#)(= F{x, i)) uniquely determine s = F(0, 0). 

Theorem 5. k — 1 cheaters cannot cheat an honest participant with probability 
more than (k — l)/(p — 1) . 

Proof. Suppose k — 1 participants Vi, . . . ,Vk- i conspire and try to cheat Vk- 
Suppose Vi opens B(x) such that B(x) ^ Bi(x). V\ succeeds if B(rj) = Aj(l). 
Since B{x) can be written as B(x) = B\ (x) + AB(x) for some polynomial 
AB{x) / 0 with degree k — 1 or less, this cheating probability is computed as 
follows. 

Pr [B(rj) = .A, ( 1)1 = Pr^i^) + AB(rj) = ^(1)] 

= Pr [AB( rj ) = 0] 

= |{r G \ {0} | AB(r) = 0}| / |{r e \ {0}}| 
<(k-l)/(p-l) 


□ 
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Abstract. We will describe the outline of the cryptographic technology 
evaluation project in Japan and those present conditions. The purpose 
of this project is that the cyptographic technology which the Japanese 
Government uses is evaluated and listed. Selected cryptographic technol- 
ogy will be used in the information security system which the Japanese 
Government will use in the future. 

Keywords. Cryptographic technology, Symmetric ciphers, Asymmmet- 
ric ciphers, Evaluation 

1 Background 

Creating the common security basis is one of the most important tasks for the 
Japanese electronic government of which the infrastructure and primary sys- 
tems will be constructed by FY 2003. Cryptographic techniques are particularly 
important and indispensable components of the electronic government because 
these not only provide information confidentiality and prevent information fal- 
sification, but also assure electronic authentication. Because of this importance, 
it has been pointed out domestically that the Japanese national government 
should adopt a cryptography usage policy in order to ensure that cryptogra- 
phy is integrated properly into the electronic government. Internationally, on 
the other hand, the ISO/IEC JTC1 has begun efforts aimed at standardizing 
cryptographic algorithms. CRYPTREC Project is an essential part of the MITI 
Action Plan for a Secure E- Government, which was announced by the Ministry 
of International Trade and Industry (MITI) in April 2000. MITI has entrusted 
the IPA with the implementation of this project. 

2 Purposes and Project Implementation 

The purpose of this project is to publish a technical report by the end of March 
2001. It is to include a list of characteristics on cryptographic techniques that 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 399-400, 2000. 
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will be proposed through a call for submission applicable to the Japanese elec- 
tronic government. In order to make such a list, the action plan of the project 
contains investigation and evaluation of the proposed cryptographic techniques 
in terms of security, implementation and other characteristics from the objective 
viewpoints of various specialists. Four governmental offices (the Management 
and Coordination Agency, the Ministry of International Trade and Industry, 
the Ministry of Posts and Telecommunications and the Defense Agency, Japan) 
jointly organized CRYPTREC (CRYPTREC: CRYPTography Research & Eval- 
uation Committee) to carry out this project. The committee, which is composed 
of prominent cryptography specialists in Japan, will evaluate the submitted cryp- 
tographic techniques.® Cryptographic Techniques that will be evaluated are the 
four types of techniques considered indispensable in the electronic government: 

(1) asymmetric cryptographic schemes 

(2) symmetric ciphers 

(3) hash functions 

(4) pseudorandom number generators. 

The evaluation will be conducted in two phases: the screening test phase and the 
detailed evaluation phase. The latter will be carried out on the proposals that 
have passed the screening tests. The evaluation guidelines are to be established 
by the committee. 

Reports, including the evaluation results, will be compiled by the committee 
following due and proper consideration on fairness and transparency, and will 
be announced on web pages hosted by the IPA. 

3 Status of Subscriptions 

CRYPTREC received 48 proposals for Call for Cryptographic Techniques. The 
following table shows the number of submissions in each category. At present, 
CRYPTREC is evaluating these candidates from the viewpoints of both security 
and efficiency of implementation. 


Table 1 . Subscriptions 


Total Number of All Subscriptions 

48 

Asymmetric Cryptographic Schemes 

24 


Confidentiality 

7 


Authentication 

1 


Signature 

10 


Key-sharing 

6 

Symmetric Ciphers 

19 


Stream ciphers 

6 


64-bit block ciphers 

4 


128-bit block ciphers 

9 

Hash Functions 

0 

Pseudo-random Number Generators 

5 


The detail of the project will be found at the following. 
URL:http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html 
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Abstract. Fingerprinting schemes support copyright protection by en- 
abling the merchant of a data item to identify the original buyer of a 
redistributed copy. In asymmetric schemes, the merchant can also con- 
vince an arbiter of this fact. Anonymous fingerprinting schemes allow 
buyers to purchase digital items anonymously; however, identification is 
possible if they redistribute the data item. 

Recently, a concrete and reasonably efficient construction based on digi- 
tal coins was proposed. A disadvantage is that the accused buyer has to 
participate in any trial protocol to deny charges. Trials with direct non- 
repudiation, i.e., the merchant alone holds enough evidence to convince 
an arbiter, are more useful in real life. This is similar to the difference 
between “normal” and “undeniable” signatures. 

In this paper, we present an equally efficient anonymous fingerprinting 
scheme with direct non-repudiation. The main technique we use, delayed 
verifiable encryption, is related to coin tracing in escrowed cash systems. 
However, there are technical differences, mainly to provide an unforge- 
able link to license conditions. 

Key words: Fingerprinting, Digital Coin, Anonymity, Restrictiveness 


1 Introduction 

Protection of intellectual property in digital form has been a subject of research 
for many years and led to the development of various techniques. Fingerprint- 
ing schemes are an important class of these techniques. They are cryptographic 
methods applied to deter people from redistributing a data item by enabling the 
original merchant to trace a copy back to its original buyer. Dishonest buyers 
who redistribute the data item illegally are called traitors. The identifying in- 
formation, called fingerprint, is embedded into copies of the original data item. 
The underlying watermarking techniques should guarantee that the embedded 
fingerprints are imperceptible and resistant to data manipulation as long as a 
traitor only uses one copy. 

The first enhancement is collusion tolerance [BMP86, BS95, CKLS96], i.e., 
resistance even if traitors compare up to a certain number of different copies. A 
second addition is asymmetry [PS96a, PW97a, BM97]; here the merchant finds 
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an actual proof of the treachery in a redistributed copy, i.e., some data (simi- 
lar to a signature “I redistributed”) that only the identified buyer could have 
computed. The third addition is anonymity where buyers can stay anonymous 
in purchasing a fingerprinted data item. Only if they redistribute the data item, 
the identity is revealed. We mean anonymity in the strong sense of the original 
definition in [PW97b], i.e., any coalition of merchants, central parties and other 
buyers should not be able to distinguish purchases of the remaining buyers. A 
weak form can easily be achieved by using any asymmetric fingerprinting scheme 
under a certified pseudonym instead of a real identity. In the context of finger- 
printing a distinction can be made whether one fingerprints the actual data item 
or a key for decrypting it. The latter, introduced in [CFN94], is typically called 
traitor tracing. Here we deal with anonymous asymmetric data fingerprinting 
with collusion tolerance. 1 

Anonymous fingerprinting was introduced in [PW97b], but only a construc- 
tion using general theorems like “every NP-language has a zero-knowledge proof 
system” was presented there. In [PS99], an explicit construction based on digital 
coins was shown. It is fairly efficient in the sense that all operations are effi- 
cient computations with modular multiplications and exponentiations; however, 
at least in the collusion-tolerant case, the code needed for embedding is so long 
that the overall system cannot be called practical. 

A remaining problem with the coin-based construction is that it does not offer 
direct non-repudiation, i.e., in the case of a dispute, the accused buyer has to 
participate in the trial to deny the charges if possible. Direct non-repudiation, 
where the merchant alone has enough information to convince any arbiter, is 
more useful in real life. This is obviously true when the buyer is not reachable. 
But it holds even if the accused buyer has to be found in any case for reasons 
outside the cryptographic system, e.g., for punishment, or simply because real- 
life trials require the accused person to be notified. The buyer could rightly or 
wrongly claim to have lost the information needed for the trial or the password 
to it, or it could happen that a dissolved company did not leave such information 
to its legal successors. The difference is similar to that between normal digital 
signatures (direct non-repudiation) and undeniable signatures [CA90] (signer 
needed in trial). 

In this paper we remedy this problem. Our new construction is coin-based 
again and equally efficient as the previous one. The new part is based on methods 
from coin tracing, concretely [FTY96], in particular a technique we call delayed 
verifiable encryption. However, on the one hand the similarity is only at the 
technical level: recall that we do not require a trusted third party. 2 On the other 
hand, we need a closer binding between this encryption and the coin than in 
coin tracing to provide an unforgeable link to the license conditions. 


1 Omitting the collusion tolerance automatically makes the schemes significantly more 
efficient. 

2 Otherwise we could use the simple solution (weak form) mentioned above. 
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2 Overview of the Model 

In this section, we briefly review the model of anonymous fingerprinting proposed 
in [PW97b]. It involves merchants M., buyers B, registration centers TZC and 
arbiters A. We assume that buyers can already digitally sign under their “real” 
identity ID&, i.e., that corresponding public keys pk B have been distributed. 
Before the buyers can purchase fingerprinted data items, they must register with 
a registration center TZC. Registration centers will enjoy the minimum possible 
trust, i.e., the most a dishonest TZC can do is to refuse a registration. 3 An arbiter 
A represents an arbitrary honest party who should be convinced by a proof. 

The four main protocols of an anonymous fingerprinting scheme are registra- 
tion, fingerprinting, identification, and trial. Besides, there are three protocols 
for registration center key distribution, where TZC distributes specific parame- 
ters, data initialization, which a merchant carries out before the first sale of a 
specific data item, and enforced identification for the case where a merchant 
claims towards an arbiter that TZC refuses to cooperate in identification. 

The main security requirements on an anonymous fingerprinting scheme are 
the following (for more details see [PW97b] and [PS00] the section on security): 

1. An honest merchant must be able to identify a traitor and win in the cor- 
responding trial for every illegally redistributed copy of the data item he finds, 
unless the collusion is larger than the tolerated limit. The identified traitor may 
be TZC, in particular if it wrongly refuses identification. Moreover, even if there 
are more traitors, the merchant may want to be protected from damaging his 
reputation by making accusations and losing the trial. Hence it is required that 
if identification succeeds at all, he should also win the trial. 

2. No honest buyer B or honest TZC should be found guilty by an honest ar- 
biter, not even if there are more traitors than the limit used in the security of 
the merchant. In particular, as some redistributions may be legal, a proof of 
redistribution must be unambiguously linked to a value text used during finger- 
printing and typically designating the terms and conditions. 

3. Purchases of honest buyers should not be linkable even by a collusion of all 
merchants, TZC, and other buyers. 

3 General Ideas of Coin-Based Fingerprinting 

In this section we recall the coin-based fingerprinting from [PS99] . The basic idea 
for using digital cash systems with double-spender identification to construct an 
anonymous fingerprinting scheme is as follows: Registration corresponds to with- 
drawing a coin. (The “coins” only serve as a cryptographic primitive and have no 

3 One may ask why TZC is then needed, e.g., whether the merchants could not play this 
untrusted role themselves. However, buyers will only be anonymous among all people 
registered at the same registration center, and corresponding groups per merchant 
could be too small for meaningful anonymity. 
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monetary value.) During fingerprinting, the coin is given to the merchant, and 
in principle a first payment with this coin is made. 4 So far, the untraceability 
of the cash system should guarantee that the views of the registration center 
and the merchant are unlinkable. Then a second payment with the same coin 
is started. Now, instead of giving the buyer’s response to the merchant, it is 
embedded in the data item. This embedding must be both secret and verifiable. 
After a redistribution, the merchant can extract the second response from the 
data item and carry out double-spender identification. 

Apart from the efficient secret and verifiable embedding of the second pay- 
ment response in the data, the main problem is the unambiguous link to a text 
describing the terms and conditions of the purchase that we required. Recall 
that in cash systems, double-spender identification has no such properties: the 
merchant simply obtains one fixed value i, called identity proof, independent 
of which coins were doublespent and how often. The first idea was to sign the 
text with a secret key whose corresponding public key pk text is included in the 
coin. However, the registration center, as the signer of the coins, can forge coins 
even in such a way that they can be linked to a certain withdrawal (where the 
buyer may have signed the withdrawal data). Hence the real problem is how to 
show that the particular coin with pk text is in fact one that the accused buyer 
has withdrawn. The solution idea in [PS99] was as follows: The buyer is able 
to repudiate an accusation with a wrong coin by presenting a different coin and 
the blinding elements that link it to the specific withdrawal from which this 
coin is supposed to come. For the case of Brands’ payment system [Bra94] , this 
was shown to be secure under a slightly stronger restrictiveness assumption than 
what would be needed for the pure payment system. Instead, we now want to 
give the merchant a direct proof that does not involve the buyer. 

4 Ideas for Achieving Direct Non-repudiation 

In this section we give an informal overview of the new construction with direct 
non-repudiation, i.e., where the merchant can convince an arbiter without par- 
ticipation of the accused buyer. As described in Section 3, we want to fix the 
actual terms and conditions text by signing them with respect to a key pk text 
contained in the coin, and it remains to link this key unforgeably to a particular 
buyer after a redistribution. 

The basic idea is to encrypt this coin key pk text during the registration, and 
such that the identity proof i is the secret key needed for decryption. The buyer 
must sign this encryption enc under his real identity so that he is bound to it. 
Hence, once the merchant learns i due to a redistribution, it is possible to decrypt 
enc and verify which coin key pk text the buyer planned to use. Note that the 
buyer is not needed in this step; this is essential for the direct non-repudiation. 

4 Actually the protocol is simpler, more like “zero-spendable” coins where the coin 
as such can be shown but any response to a challenge leads to identification. For 
intuitiveness, we nevertheless still call this response “second payment” in the informal 
part. 
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Each i is only used for one coin so that the link between the particular coin and 
the corresponding encryption enc will be clear. The next step is to force the buyer 
to encrypt the same pk text in enc as he uses in the coin — clearly, if he can encrypt 
another value, his real coin will later not be attributed to him. Hence we need 
a kind of verifiable encryption. However, at this point there is nothing to verify 
the encryption against — pk text is deep inside the perfectly blinded coin. Here the 
ideas from coin tracing are applied, in particular from [FTY96] for Brands’ cash 
scheme, where a similar problem exists with an encryption enc* for a trusted 
third party. The solution is to provide an additional specific encoding M of pk text 
whose content is invariant under blinding. During registration (withdrawal), the 
buyer proves in zero-knowledge that enc and M have the same content. The 
registration center then blindly signs M and the buyer transforms it to M' . 
Later, in fingerprinting (a payment), the merchant sees the real pk text used in 
the coin in clear. The buyer then opens the blinded encoding M' , which has the 
same content as M, and the merchant verifies that this content is really pk text . 
Overall, this implies that also enc contained the correct pk text . 

Apart from using the identity proof i as a key instead of a trusted third 
party’s key, we need another modification to this idea: In [FTY96], the coin and 
M are blindly signed in two different signatures. If we did this, traitors could 
successfully attack the scheme by combining wrong pairs of coins and M’s. Hence 
we need a combined blind signature on the pair, where the pair can be uniquely 
decomposed both in the blinded and the unblinded form. Thus, while the coins 
and the encodings M in [FTY96] are constructed using the same pair of gener- 
ators in a discrete-logarithm setting, we use four generators and construct coins 
and M using different pairs. The blind signature is made on the product. (More 
generators in conjunction with Brands’ system have been used several times in 
the past, e.g., in [Bra93, BGK95, FTY98].) Restrictiveness of the blind signa- 
ture scheme, together with proofs of knowledge that the values are formed over 
the correct generators, guarantees that a buyer cannot decompose the product 
in two non-corresponding ways at both sides. Here is also where the specific 
restrictiveness assumption comes in: The security of 1ZC relies on the correct de- 
composition, and 1ZC cannot trust the merchants to verify zero-knowledge proofs 
in fingerprinting correctly. Hence one aspect of the decomposition, (the fact that 
the buyer knows the discrete logarithm of pk text over the correct generator), is 
only substantiated by a Schnorr signature towards 1ZC. In our setting, even in the 
random oracle model we cannot easily define and prove this Schnorr signature 
to be a non-interactive proof of knowledge for lack of an initial common input 
and hence we have to accommodate for this immediately in the restrictiveness 
assumption, see Section 6.1. We believe that certain statements in papers on 
related coin systems must be formalized in the same way. 

5 Construction 

We now present the new construction step by step. There are no surprises given 
the informal description in the previous section. However, as there are no mod- 
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ular definitions for most components we use, and as we modify some of them 
internally, a concrete description of the overall system seems to be the easiest 
way to make everything precise and to get security proofs. 

For simplicity, we assume that there is only one registration center. Once 
and for all, a group G q from a family of groups of prime order and generators g, 
(ji , < 72 , S3, </4 G q \ {1} are selected. For concreteness, assume that G q is the 
unique subgroup of order q of the multiplicative group Z*, where p is another 
prime with q\(p — 1). Even 1ZC, who will typically make this choice, should not 
be able to compute discrete logarithms in G q , and the generators must be truly 
random. 5 Hash functions hash and hash' for the underlying protocols (Brands 
and Schnorr signatures) must also be fixed. Finally, 7 1C generates a secret signing 
key x Gr Z* and publishes the public key h = g x mod p. 

5.1 Registration 

An overview of the registration protocol is given in Figures 1 and 2. In the follow- 
ing, we relate the figures to the informal description and explain the correctness 
proof. 

1. Opening a one-time account. B chooses the “identity proof” i Gr Z* 
randomly and secretly and computes hi = g\ (with hig-i ^ 1), the “account 
number” from Brands’ system, and /13 = g\, which we introduced specially as a 
public key for ElGamal encryption. 

2. Coin key and encryption. The value k, also selected secretly and ran- 
domly by B, serves as the secret coin key and pk text = g\ mod p as the cor- 
responding public key. B encrypts this public coin key into a ciphertext enc 
using /13 as the public key of ElGamal encryption. She computes a signature 
sig com sig p k B {hi,hz, enc) under her normal identity and sends it to TIC, who 
verifies it. This signature later shows that B is responsible for this “account” 
identified by the keys hi and /13 and for the public key encrypted in enc. 

3. Encoding for delayed verifiable encryption. The additional encoding 
of pk text is the pair (Mi, M 2 ) = Qj|, pk :l text ) whose content is invariant under 
the following blinding operation. 1ZC will verify that Mi / 1. The content is 
uniquely defined because Mi ^ 1 uniquely defines j yt 0, and then M 2 and j 
uniquely define pk text . 

4. Correctness proofs. Now B sends the public values to 7ZC and gives certain 
correctness proofs. Intuitively, this is in particular that hi and /13 contain the 
same identity proof i, and that the content of the encryption (which is uniquely 
defined given /13) equals the content of the pair (Mi, M 2 ) as defined above. For- 
mally, B has to give a zero-knowledge proof of knowledge of the values i,j, k, y 

5 The randomness of the generators can be verified if 1ZC proceeds as follows: Select 
a non-secret string r of a certain length uniformly and randomly, e.g., by using an 
old random number table. Using r, generate primes q and p and elements e. t € Z* 
deterministically. Compute the generators as gi = e\ p ~ 1 ^ q . If a g t is not a generator, 
repeat its choice. 
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such that the public values, i.e., h\, h 3 , eric, M%, M 2 fulfill the prescribed equa- 
tions. 


B 

TIC 

i,j,k,ye R Z* 


hi := g[-,h 3 :=gl 


P k text ~ 94 


enc := (d 1 ,d 2 ) := (h y 3 pk text , g%) 


^9 coin sig pkB (h 1 ,h 3 ,enc) 


(M 1; M 2 ) := ( 9 3 3 ,pk\ ext ) 



hi, h 3 , enc, 


sig coin , Mi, M 2 


h l92 ^ 0? 


Verify sig coin 


Mi / 1? 


correctness proof 

N := h 1 g 2 M 1 M 2 

N := h 1 g 2 M 1 M 2 


Fig. 1. The registration protocol before the blind signature 


This can be done by using a simple protocol from [CEG88] for i and the 
specific “indirect discourse proof” from [FTY96] for the remaining parameters. 
However, there is also a general efficient technique for proving low-degree poly- 
nomial relations in exponents [Cam98], Section 3.5, which comprises this and 
many similar situations. The protocol from [CEG88] for showing that h\ and h 3 
are correct is shown in [PS00] . Exactly the same type of proof is not possible for 
the other values because one equation is M 2 = g 4 , where neither g J 4 nor g 4 can 
be public. Here is where the techniques for polynomials come in (e.g., Camenisch 
uses blinded versions of the required intermediate values, e.g., to get back 
to the linear situation.). 

5. Withdrawal. Now 'RjC gives a blind signature on the combination of a 
coin and the encoding (Mi, M 2 ). Let m = g\g 2 = h\g 2 be the value typically 
signed in Brands’ scheme, M = M 1 M 2 , and N = mM. This N is the com- 
mon input to the blind signing protocol (essentially from [CP93]). In [Bra94], 
an additional value is included in the hashing; we use pk text in that place. 
The resulting protocol is shown in Figure 2. As a result, B obtains the “coin” 
coin' = (N 1 , pk text ,r'), where N' = (rnM) s and t' = (z',a' ,b' ,r') is called 
the signature on (N' , pk text ) . 6 We denote the blinded versions of m and M by 
m! = m s = g\ s g% and M' = M s = pk s text , where s' = sj. 

6 In the sense of Section 4 this is not only the coin, but also still contains the blinded 
specific of pk text . However, in the following, it is simpler to call this unit a coin. 
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B 

nc 


z E- N x 


W Er Zq 


a E- g w mod p 

s ErZ* 4. 

b E- N w mod p 

z' E- z s , N' E- N s 


U, V Er Zg 


a' E- a u g v , b' E- b su N' v 


c‘ E- hash(N' , z', a', b', pk text ) 


c E- c' /u mod q — 

c 

g r = ah c , N r = bz c mod p 

r E- cx + w mod q 

r' E- ru + v mod q 



Fig. 2. The blind signature part of the registration protocol 


5.2 Fingerprinting 

The main common input in fingerprinting is the value text typically used to refer 
to the license conditions. We assume that each text is fresh for both buyer and 
merchant in this protocol, i.e., neither of them uses a value text twice. This can 
be achieved by a number of standard techniques. 

1 . Text signing and coin verification. B selects an unused coin coin' = 
(. N' ,pk text ,r '). He uses the corresponding secret key k to make a Schnorr sig- 
nature sigtext on text (where we include pk text in the hashing) and sends (coin 1 , 
m', M', s', sigtext ) to M. Now M. first verifies the blind signature: He com- 
putes d = hash(N',z',a',b',pk text ) mod q and tests whether j f' = a'h c ‘ and 
N' r = b' z' c mod p hold. We say that a coin is valid if and only if it passes these 
tests. He then verifies sigtext using pk text from coin' . 

2. Verification of decomposition. M. first verifies that N' = m'M', N' ^ 1 
and m! ^ 1. Then B proves to M in zero-knowledge that he knows a represen- 
tation of m! with respect to (g% , g^) and of pk text with respect to r /4 [CEG 88 ]. 

3. Delayed part of verifiable encryption. M. verifies whether M’ = gf pk s text 
holds. (Details why this verification is sufficient can be seen in the proof of the 
security of the registration center, see [PS00].) 

4. Embedding. B takes the representation (is, s ) of rn' = g\ s g '2 as the value 
emb to be embedded secretly and verifiably in the data item. This is the identical 
task as in [PS99] and thus from here on we can reuse the old protocol. 

For the overall security considerations later, note that in this protocol, ad- 
ditional commitments on (is, s) are made. These are information-theoretically 
hiding discrete-logarithm commitments using generators chosen by the merchant 
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and quadratic-residue commitments with respect to a number n chosen by the 
buyer specially for this embedding. The rest are zero-knowledge protocols. Fi- 
nally, the buyer decrypts quadratic-residue commitments provided by the mer- 
chant with respect to the buyer’s n. 


5.3 Identification 

1. Merchant-side retrievals. M. extracts a value emb — (r'i , rp) from the 
redistributed data item using the same extraction algorithm (consisting of a 
watermarking part and a decoding part) as in [PS99]. This pair should be (is, s) 
with s ^ 0; thus he sets s = r% and i = r\ / r-i . He computes m! = g'fg^ mod p 
and uses it to retrieve coin', M', text and sig tex t from the corresponding purchase 
record of the given data item. If any of these steps do not succeed, he gives up. 
(The collusion tolerance of the underlying code may be exceeded.) Otherwise he 
sends to "RjC the triple proof 0 = ( i , text, sigt ex t)- 

2. Registration center retrieval. On input proof 0 , the registration center 
searches in its registration database for a buyer who has registered the one-time 
account number hi = g\ and retrieves the values ( pk B , enc, sig coin ), where pk B 
corresponds to a real identity ID B . 1ZC refuses identification if it is clear from 
text that the redistribution was legal. Otherwise TZC decrypts enc using i to 
obtain pk text and verifies that sig tex t is a valid signature on text for this public 
key pk text with respect to the generator g 4 . If positive, TZC sends the retrieved 
values to M.. 

3. Merchant verification. If M. gets an answer (pk B , enc, sig coin ) from 1ZC, 
he first verifies that sig coin is a valid signature with respect to pk B on the triple 
(h\ = g\, hs = < 73 , enc). He also verifies that enc correctly decrypts to the value 
Pktext contained in coin' with respect to the secret key i and the generator g- 4 . If 
one of these tests fails or M. receives no answer, he starts enforced identification. 


5.4 Enforced Identification 

If M has to enforce the cooperation of ~RC, he sends proof x = (coin 1 , s', i, s, text, 
sigtext ) to an arbiter A. A verifies the validity of coin' and calls its components 
(N', pk text , t') as usual. Then she verifies that N' = m'M' for m! = gfg^ mod p 
and M' = g{pk s text . Finally, she verifies that sig tex t is a valid signature on text 
for the public key pk text with respect to the generator g 4 . 7 

If any of these tests fails, A rejects AFs claim. Otherwise she sends proof 0 = 
(i, text, sigtext) to 1ZC and requires values (pk B ,enc,sig coin ). Then A verifies 
them as M. does in Step 3 of identification. 


7 This is necessary for the security of 1ZC by guaranteeing that the division of N' into 
m' and M ' is correct, even if 1ZC is supposed to identify all redistributors independent 
of text. 
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5.5 Trial 

Now M tries to convince an arbiter A that B redistributed the data item bought 
under the conditions described in text. The values pk B and text are common 
inputs. Note that in the following no participation of B is required in the trial. 

1 . Proof string. M. sends to A the proof string 

proof = (coin 1 , s',i,s, sigtext , enc, sig coin ). 

2 . Verification of i. A computes hi = g\ and /13 = g\ mod p and verifies that 
^9 coin i s a valid signature on (hi, / 13 , enc) with respect to pk B . If yes, it means 
that i, the discrete logarithm of an account number hi for which B was responsi- 
ble, has been recovered by M and thus, as we will see, B has redistributed some 
data item. It remains to verify the link to the terms and conditions described by 
text. 

3. Verification of text. A verifies the validity of coin' and calls its components 
(N r , pk text , t'). She then verifies that N' = m'M' for m' = g^g^ modp and 
M' = g^ pk s text . 8 She also verifies the signature sig tex t on the disputed text with 
respect to pk text and the generator g 4 . These verifications imply that if the ac- 
cused buyer owned this coin, he must have spent it in the disputed purchase 
on text. Finally, A verifies that this coin belongs to B: She tests whether enc 
correctly decrypts to pk text if one uses i as the secret key. If all verifications are 
passed, A finds B guilty of redistribution, otherwise M. should be declared as 
the cheating party. 

6 Security 

Due to space restrictions we leave out the proofs and only highlight the se- 
curity aspects which in our belief are of more theoretical importance. Hence 
we omit the security for buyers and merchants and sketch security for TZC and 
buyer’s anonymity. For analysis of all security issues we refer the interested 
reader to [PS00]. 

6.1 Security for the Registration Center 

The security requirement is that if the registration center is honest, an honest 
arbiter will never output that 1ZC is guilty. 

For this, we need the restrictiveness of the underlying blind signature scheme 
for showing that the value m' used in fingerprinting “contains” the same value 
i as the original m, and also that the delayed verification of pk text works. 
In [Bra94], Brands only works with two generators < 71 , 512 , while we use four. 
However, in the underlying report [Bra93] the same assumptions are made and 
heuristically explained for any number of generators < 71 , . . . , g n , and coin systems 
with more than two generators have also been presented in [BGK95, FTY98]. 
The exact assumption we need is the following: 

8 The latter verification is not essential, but otherwise M must include M' in proof. 



Anonymous Fingerprinting with Direct Non-repudiation 411 


Assumption 1 (Restrictiveness with Schnorr signature). Let A he a probabilis- 
tic polynomial-time adversary that can interact with a Brands signer as in Fig- 
ure 2 several times for messages N of its choice. A also has to output represen- 
tations of all these messages, i.e., quadruples (ii,... ,h) such that 

N = 9i---9a- 

At the end, A has to output a message (coin) N' with a valid signature and a rep- 
resentation of N' , except that it need not show i 4 , but only values (h 4 , if, msg, a) 
such that N' = gf ■ ■ ■ h 4 4 and a is a valid Schnorr signature on msg for the 
public key h' 4 and the generator (with h 4 included in the hashing). We then define 
i' 4 as i 4 log g4 (h' 4 ). 

Then the probability that A fulfills all the conditions and that the vector 
(i'x,... ,i 4 ) is not a scalar multiple of one of the vectors (fy,... ,if) is negli- 
gible. (The probability is taken over the random choices of the signer and A.) 

Discussion of the assumption. In a simpler restrictiveness assumption, the 
adversary has to output complete representations of both the blinded and un- 
blinded values, i.e., also i 4 . In our case, he only outputs a factor i" 4 of i 4 and, 
instead of the other factor k := i 4 /i 4 , a Schnorr signature with respect to the 
corresponding public key h 4 = g 4 . The intuitive idea why this should be secure 
is that a Schnorr signature should be a non-interactive proof of the knowledge 
of the secret key. Such arguments are mentioned, e.g., in [Bra94] (Corollary 9) 
and [FTY96, FTY98]. However, really trying to prove our assumption from the 
simpler one, even in the random oracle model, leads to problems. First, the given 
situation does not fall under the most obvious way to define Schnorr signatures 
to be non-interactive zero-knowledge proofs in the random oracle model: One 
would take g, h as common inputs and an extractor, allowed to simulate the ran- 
dom oracle (in a way indistinguishable for the adversary) would have to extract 
the secret x with h = g x . Under this definition, it is easy to prove that Schnorr 
signatures are proofs of knowledge. However, in our situation and many others 
where a non-interactive proof is needed, h is not a common input, but chosen 
by the adversary in the same step as the signature serving as proof. Hence as 
to definitions, it is not clear what x the extractor should extract — simply pro- 
ducing pairs ( x , h) with h = g x is trivial. The definition must therefore be made 
with respect to a scenario, i.e., in a joint probability space together with other 
variables. We can, e.g., define that the extractor must output pairs (x, h) where 
h has the same joint distribution with the other variables as the values h output 
by the adversary. 

Now, if the scenario is non-interactive, one can still prove the desired theorem 
by using the forking lemma from [PS96b] if one includes h into the hashing in 
the Schnorr signature. However, in our scenario the adversary interacts with 
the bank as blind signer, in addition to the random oracle. This gives the same 
problems with exponential rewinding as in [PS96c] and [SG98], Section 2.4. It 
may be interesting to investigate how to modify either the proof techniques or 
the scheme so that some proof of this type goes through, but for the moment we 
had to make the stronger assumption. 
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In our scheme, TZC could only be found guilty in enforced identification, 
because in a trial an honest arbiter A only finds either B or M guilty. Under 
Assumption 1 we can prove, as shown in [PSOO] in detail, the security for an 
honest 1ZC with an honest arbiter. 


6.2 Anonymity 

We assume that 1ZC and M. collude and both may deviate from their protocols, 
hence we call them 1ZC* and M*. We want to show that they learn nothing about 
the purchase behaviour of honest buyers, except for facts that can simply be 
derived from the knowledge of who registered and for what number of purchases, 
and at what time protocols are executed. This should even hold for the remaining 
purchases of a buyer if 1ZC* and M* obtain some data items this buyer bought. 

In our construction, the only information common to all registrations of a 
buyer is her global key pair (sk&,pk B ) (recall that we use each i only once). 
She only uses it to generate the signature sig coin , and uses neither the keys nor 
this signature in fingerprinting. Thus other fingerprintings and possible redis- 
tributions of a buyer are statistically independent of one registration and the 
corresponding fingerprinting. Hence we focus on the question whether view reg 
and viewfi n g from such a pair of corresponding protocols are linkable. For this, 
we let an adversary carry out two registrations and then the two corresponding 
fingerprintings in random order. The adversary is considered successful if it can 
guess with probability significantly better than 1/2 which views correspond to 
each other. 

More precisely, first the global parameters are generated (the group and 
generators in our construction), given a security parameter l. Then the two 
buyers generate their global keys. Next, the registration protocol reg is run where 
RjC* inputs the buyer’s public key and the buyer B her secret key. The outputs are 
7£C*’s view and B' s view views- For 7£C*’s view we write ( traf reg , auxt), where 
tmfr e g (“traffic” in slight abuse of the term) denotes the messages from B to 1ZC*, 
while the variables auxi model the adversary’s entire memory between protocol 
executions. Now a bit b is uniformly chosen; it denotes on which registration 
the first execution of fingerprinting is based, assuming that the registrations 
succeeded from the buyers’ point of view. The notation for the fingerprinting 
protocol fing is similar to that for reg. Finally, the adversary algorithm Al ink 
outputs a guess b* for b based on the adversary’s memory, which may of course 
contain the traffic. The values sent by B are (for simplicity we included pk B in 
traf reg ): 

tra freg, o = (P k B, o> h 3fi , M lfi , M 2)0 , enc 0 , sig coin0 , Co, trafr^o), 

tra ffing,b = {coin' b , m' b , M b , s' b , sig text , b , traf embedb , traffl^ p b ), 

and similarly for traf reg l and traf f Here Co is the only value sent in the 
withdrawal subprotocol, coin' b = {N b ,pk textb i T b ) the coin, traf embedb the traffic 
from Step 4 of fingerprinting and traf^. PP . traffi^ g P b that from all zero-knowledge 
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protocols in registration and fingerprinting. The texts to be signed may be chosen 
adaptively by M.* in fing. 

We can prove, as shown in detail in [PSOO], that given a successful adversary 
as defined above, there are also successful adversaries in successive scenarios 
where the “buyer” sends fewer and fewer values. This finally leads to a con- 
tradiction. The anonymity of our scheme is based on the following assumption 
and the random oracle model for the hash function used in the blind signature 
protocol: 

Assumption 2 (Strong Decisional Diffie- Heilman Assumption). No probabilis- 
tic polynomial-time algorithm Asddh, on inputs of the form 

{9,9 x ,9 v ,9 y \«) 


where u is either g xy or a random group element, can distinguish the two cases 

with probability significantly better than 1/2. 
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Abstract. Fingerprinting schemes enable a merchant to identify the 
buyer of an illegally distributed digital good by providing each buyer 
with a slightly different version. Asymmetric fingerprinting schemes fur- 
ther prevent the merchant from framing a buyer by making the finger- 
printed version known to the buyer only. In addition, an anonymous 
fingerprinting scheme allows the buyer to purchase goods without re- 
vealing her identity to the merchant. However, as soon as the merchant 
finds a sold version that has been (illegally) distributed, he is able to 
retrieve a buyer’s identity and take her to court. 

This paper proposes a new and more efficient anonymous fingerprinting 
scheme that uses group signature schemes as a building block. A byprod- 
uct of independent interest is an asymmetric fingerprinting scheme that 
allows so-called two-party trials, which is unmet so far. 


1 Introduction 

Today’s computer networks allow the trading of digital goods in an easy and 
cheap way. However, they also facilitate the illegal distribution of (copyrighted) 
data. Fingerprinting schemes are a method for supporting copyright protection. 
The idea is that a merchant sells every customer a slightly different “copy” of the 
good. For instance, in the case of an image, the merchant could darken or lighten 
some pixels. Of course, the fingerprint must be such that a buyer cannot easily 
detect and remove it. When the merchant later finds an illegally distributed copy, 
he can recognize the copy by its fingerprints and then hold its buyer responsible. 
A number of authors (cf. [8]) have studied methods to achieve this for various 
kinds of digital goods. Research is ongoing in this area. 

Whereas fingerprinting as such is a technique that was already used in 
the previous century, security against colluding buyers was achieved only re- 
cently [2,3]. Such schemes tolerate a collusion of buyers up to a certain size, 
i.e., a collusion cannot produce a copy such that the merchant cannot trace it 
back to at least one of the colluders. The first such schemes that were proposed 
are symmetric, meaning that the merchant knows which copy a buyer gets [2,3]. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 4r5-428, 2000. 
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Thus a malicious merchant could spread himself the version sold to some buyer 
and then accuse that buyer of having done so. 

This problem is overcome by asymmetric schemes [1,12,14]. Here, the buyer 
sends the merchant a commitment to a secret she chose. Then the two carry out 
a protocol at the end of which the buyer possesses the desired digital good, fin- 
gerprinted with the chosen secret, whereas the merchant does not learn anything. 
Hence, whenever the merchant is able to present a sufficiently large fraction of 
the secret contained in a buyer’s commitment, he must have found the copy a 
buyer bought (and distributed) and the buyer is therefore considered guilty. 

In both symmetric and asymmetric schemes, the merchant needs to know a 
buyers’ identity to be able to take her to court if she distributes the purchased 
copy. To protect buyers’ privacy and match with anonymous digital payment 
systems, Pfitzmann and Waidner introduce anonymous asymmetric fingerprint- 
ing [13]. Here, a buyer must no longer identify herself for purchasing and remains 
anonymous as long as she keeps the purchased good secret, i.e., does not dis- 
tribute it. More precisely, the merchant can learn a buyer’s identity only if he 
obtains her purchased copy. This kind of scheme involves a further party, called 
registration center, at which all buyers are required to register prior to any 
purchase. Pfitzmann and Waidner also provide a general modular construction 
consisting of two building blocks. One handles the registration of buyers and 
the generation of the to-be-embedded information and the other building block 
is a method to embed committed information into the to-be-sold data. More 
precisely, the latter uses an error and erasure-correcting code together with an 
asymmetric fingerprinting scheme to guarantee that at least for one of the col- 
luders all her committed secret bits can be extracted from a copy found. 

The first building block uses general zero-knowledge proof techniques and 
renders the resulting scheme rather inefficient and hence it is merely considered 
a “proof of existence” [13]. The second building block can be realized efficiently 
in term of computations [11]. However, the use of the error and erasure-correcting 
code prohibitively enlarges the number of bits that need to be embedded. 

Recently, Pfitzmann and Sadeghi [11] presented an efficient replacement for 
the first part of this construction. It is derived from the anonymous e-cash scheme 
by Brands [4] . More precisely, it uses its property that coins are anonymous when 
spent once but reveal a user’s identity when spent twice. However, the resulting 
scheme has the drawback that a buyer must register once for each purchase and 
that the merchant has to contact the registration center to retrieve the identity 
of a malicious buyer. 

This paper presents an anonymous fingerprinting scheme that overcomes 
these drawbacks using group signature schemes as its main building block. A 
group signature scheme (e.g., [7,9]) allows a member of a group of users to sign a 
message on the group’s behalf. The scheme protects the privacy of signers in that 
the verifier has no means to determine which member originated a signature or 
whether two signatures stem from the same signer. However, to handle special 
cases of misuse by some user, there is a designated revocation manager who can 
indeed find the identity of a signature’s originator. 
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The idea underlying our fingerprinting scheme is to have the buyer issuing 
a group signature on a message describing the deal. Opposed to an ordinary 
group signature scheme there is no (fixed) revocation manager. Instead, the 
buyer chooses a secret and public key pair for the revocation manager; this pub- 
lic key is then used for issuing the group signature, whereas the secret key gets 
embedded into the sold good. Thus, finding an illegally distributed copy puts 
the merchant in the position of the revocation manager for that particular group 
signature and he can retrieve the identity of the culprit. Due to the properties 
of group signature schemes, each buyer must register only once (registering ba- 
sically amounts to join the group) and the merchant can retrieve a culprit’s 
identity directly. One version of our scheme can even do without a registration 
center. 

We also improve on the second building block: we exhibit a method for cir- 
cumventing the use of error and erasure correction assuming a trusted third party 
(TTP). This TTP, however, needs only to be involved in the case that a mali- 
cious buyer is taken to court. This method can also be used to get a two-party 
trial for the asymmetric fingerprinting schemes [1,14]. We refer to Section 4 for 
an explanation of two- and three-party trials. Combining both our new build- 
ing blocks gives an anonymous fingerprinting scheme that can tolerate larger 
collusions than previous ones and requires less administration from buyers and 
merchants. 

2 Model of Anonymous Fingerprinting 

Let Po € (0, 1}* denote some digital good (bit-string) that is fingerprintable, 
i.e., some of its bits can be changed such that (1) the result remains “close” to 
Po but (2) without knowing which particular bits where changed, altering “a 
good portion” of these bits is impossible without rendering the good useless. We 
refer to [3] for a formal definition of this “marking assumption”. Finally, let V 
denote the set of all “close copies” of Po and £ be a security parameter (from 
now on we implicitly assume that £ is an input to all algorithms and protocols). 

Definition 1. An anonymous fingerprinting scheme involves a merchant, a buy- 
er, and a registration center. Let c denote the maximal size of a collusion of 
buyers against which the scheme is secure. An anonymous fingerprinting scheme 
consists of the following five procedures. 

FKG-RC: A probabilistic key setup algorithm for the registration center. Its out- 
put are the center’s secret key xc and its public key yc, which is published 
authentically. 

FReg: A probabilistic two-party protocol (FReg-RC, FReg-B) between the registra- 
tion center and the buyer. Their common input are the buyer’s identity IDs 
and the center’s public key yc- The center’s secret input is its secret key xc- 
The buyer’s output consists of some secret xb and related information ys- 
The center obtains and stores ys and IDs- 
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FPri: A two-party protocol (FPri-M, FPri-B) between the merchant and the buyer. 
Their common input consists of yc- The merchant’s secret input is Po and a 
transaction number j and his output is a transaction record tj. The buyer’s 
secret input is xb and ys and her output consists of a copy Pb GV. 

FRec: A two-party protocol between the merchant and the registration center. The 
merchant’s input is a copy P € V, Po, and all transaction records ti. The 
center’s input consists of its secret key xc and its list of ys’s and IDs ’s. The 
merchant’s output is a/the fraudulent buyer’s identity together with a proof 
p that this buyer indeed bought a copy of Po, or _L in case of failure (e.g., if 
more than c buyers colluded to produce P). 

FVer: A verification algorithm, that takes as input the identity ID b of an accused 
buyer, the public key yc of the registration center, and a proof p and outputs 
1 iff the proof is valid. 

We require that the following conditions hold. 

Correctness: All protocols should terminate successfully whenever its players are 
honest (no matter how other players behaved in other protocols). 

Anonymity and unlinkability: Without obtaining a particular Pb, the merchant 
(even when colluding with the registration center) cannot identify a buyer. 
Furthermore, the merchant must not be able to tell whether two purchases 
were made by the same buyer. In other words, all data stored by the merchant 
and registration center and the merchant’s view of a run of FPri must be 
(computationally) independent of the buyer’s secret input IDs, xb, and ys- 
Protection of innocent buyers: No coalition of buyers, the merchant, and the reg- 
istration center should be able to generate a proof p such that FVer (IDb,Vc, 
p) ~ 1, if buyer IDs was not present in the coalition. 

Revocability and collusion resistance: There exist no polynomial-time algorithms 
FCol, FPri-B*, and FReg-B* such that for any ID\,... ,ID C we have 
FRec(Po, FCol(P, U)) £ {ID i, . . . ,ID c }with non-negligible probability, where 
U = {FReg-B* FReg . RC {i , yc , xc) (y C ) I * € {ID 1 ,...,ID C }} and 

P = {FPri-B* F p ri _ M (p 0tyc ){y c ,U,i) [ z = 1 , . . . ,c}. 

Some fingerprinting schemes allow the merchant to recover the identity of a 
fraudulent user without the help of the registration center, i.e., FRec is not a 
protocol but an algorithm. 

Realizations of the procedures FPri and FRec typically involve a pair of sub- 
protocols, one to embed some secret, committed to by the buyer, into the digital 
good and one to recover the embedded data again. Let Com be a commitment 
scheme, i.e., a (deterministic) function that takes as input the string x to commit 
to and an additional (randomizing) input string a. A buyer can commit to some 
x by C = Com(x, a), where a is randomly chosen. We require that the distri- 
butions of commitments to different x’s are (computationally) indistinguishable. 
A commitment C can be opened by revealing x and a. We require that it is 
(computationally) infeasible to open a commitment in two ways, i.e., to find 
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pairs (x. x/) and (a, a') such that Com(x, a) = Com(x , ,a / ). If the value of the 
parameter a is not essential, we drop it for notational convenience. 

Definition 2. Let Po be a fingerprintable good known only to the merchant and 
let y = Com(x) be the buyer’s commitment to some secret x £ {0, 1 Y- An em- 
bedding method for Po, x, and Com consists of the following two procedures: 

Emb: A two-party protocol (Emb-M, Emb-B) between the merchant and the buyer. 
The merchant’s secret input is Po, the buyer’s secret input is x and their 
common input is y := Com(x). The buyer’s output is Pb S V. 

Rec: An algorithm that takes as input and Po and a fingerprinted copy P of it. 
The algorithm’s output is the data x embedded into P. 

We require that the following properties are fulfilled. 

Correctness: Vx, Po : % = Rec(Po, Emb-B Emb . M (p 0> j / )(x, y)), where y = Com(x). 
Recovery and Collusion-Resistance: There are no polynomial-time algorithms Col 
and Emb-B* such that there is a set U of at most c bit-strings of length 
£ for which Rec(Po, Col(P, U)) £ U with non-negligible probability, where 
P = {Emb-B* Emb _ M{Po y) (x,y) \ y = Com(x), x£U}. 

Zero-Knowledgeness: For all Emb-M* there exists a simulator such that for all 
x e {0,1}^ the output of the simulator and the view of Emb-M* are (per- 
fect/statistically/computationally) indistinguishable. 

3 Group Signature Schemes 

Definition 3. A group signature scheme consists of the following procedures: 

GKG-M: A key setup algorithm for the membership manager M that outputs her 
secret key xm and public key yM- 

GKG-R: A key setup algorithm for the revocation manager R that outputs her 
secret key xr and public key yR. 

GReg: A probabilistic interactive protocol (GReg-M, GReg-U) between the mem- 
bership manager and a group member U. Their common input is the group 
member’s identity IDu and yM- If both parties accept, the group member’s 
output is her secret key xu and their common output is U ’s membership key 
Vu- 

GSig: A probabilistic algorithm that on input of xu, yM, yR, and a message m 
outputs a group signature s on m. 

GVer: An algorithm that on input of the group public key Y , an alleged signature 
s, and a message m outputs 1 if and only if the signature is valid. 

GTrace: A algorithm which on input of the revocation manager’s secret key xr, 
the group ’s public key Y, a message m, and a signature s on m outputs the 
identity IDu of the originator of the signature and a proof V that IDu is 
indeed the originator. 
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The following security requirements must hold: 

Correctness of signature generation: All signatures on any messages generated 
by any honest group member using GSig will be accepted by the verification 
algorithm. 

Anonymity and unlinkability of signatures: Given two signature-message pairs, 
it is only feasible for the revocation manager to determine which group mem- 
ber (s) generated any of the signatures or whether the signatures have been 
generated by the same group member. 

Unforgeability of signatures: It is feasible to sign messages only to group mem- 
bers (i.e., users that have run the registration protocol with the membership 
manager) or to the membership manager herself. 1 
Unforgeability of tracing: The revocation manager cannot falsely accuse a group 
member of having originated a given signature. 

No framing: No coalition of group members, the revocation manager, and the 
group manager can produce a signature that will be associated with a group 
member not part of the coalition. 

Unavoidable traceability: No coalition of group members and the revocation man- 
ager (but excluding the membership manager) can generate a valid signature 
that, when its anonymity is revoked, cannot be associated with a group mem- 
ber. 

To use the group signature scheme for our construction in Section 5, we 
require that the key setup algorithm GKG-R for the revocation manager can 
be run after the algorithms GKG-M and GReg. That is, we require that the 
revocation manager can change her keys after the scheme has been set up and 
without requiring group members to reselect their key material. This property 
is provided by many group-signature schemes (e.g., [5,7,10]). 

4 Previous Fingerprinting Schemes 

All current anonymous and asymmetric fingerprinting schemes [1,12,13,14] are 
based on the symmetric scheme of Boneh and Shaw [3]. This section presents 
this scheme briefly, giving only those details that are needed to describe our 
results. 


4.1 Symmetric Fingerprinting 

A symmetric fingerprinting scheme consists of a set of binary codewords (or 
marking patterns) W = w \ , . . . , w n that can be embedded into the digital 
good [3]. Each time a copy is sold a different word is embedded and thereby 

1 The membership manager can always invent a fake identity and register it as a 
group member. It is understood that if a signature turns out to originate from a fake 
identity, the membership manager is considered guilty. 
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assigned to the copy’s buyer. Let W C W denote all assigned codewords. If a 
redistributed copy is found later it must contain some word w that is a com- 
bination of words from W due to the marking assumption. A scheme is called 
c-secure if there exists an algorithm A such that if a coalition C of at most c 
buyers generates a copy that contains a word w, then A(w) g W. It is said 
to have e-error if the probability that A(w) outputs a codeword that was not 
assigned to any buyer in C (but might have been assigned to an honest buyer) 
is at most e. Boneh and Shaw [3] show that e = 0 is not possible. They provide 
a binary code Jo that is c-secure, has n = c codewords, and whose length l is 
polynomial in n (i.e., 0(n 3 log(n/e)). Because the number of codewords equals 
the maximal number of colluding users tolerated, this code has the property 
that, no matter what a collusion does, the merchant will be able to extract a 
codeword assigned to one of the colluders with high probability (i.e., greater 
than 1 - e, with e = 2n2~ l ^ 2n ^ n - 1 '>'>). 

Based on this code, Boneh and Shaw construct a random code A over A> 
i.e., each codeword in A consists of the concatenation of, say, L randomly cho- 
sen codewords from A- Extraction of an embedded word from an illegally dis- 
tributed copy will now in general no longer yield a codeword assigned to one of 
the colluders but only a word whose components (codewords from T 0 ) stem from 
codewords assigned to the colluding users. Because at least L/c components of 
the extracted word must stem from a codeword assigned to one of the colluders, 
the extracted word must match that colluder’s codeword in at least L/c posi- 
tions, provided that the (malicious) buyers do not know any of the codewords. 
Therefore, a member of the collusion can be found by comparing all assigned 
codewords with the extracted word (provided that the number of codewords in 
A is not too large, cf. [3]). The resulting code A has length c° (li log(n), where 
n is the number of codewords (or, equivalently, the number of possible buyers). 

Remark. As the amount of bits that can be embedded in a particular good 
is usually fixed, the length of a codewords translate into a maximum size of 
collusions that can be tolerated and how many buyers the good can be sold to. 

4.2 Asymmetric Fingerprinting 

In a nutshell, the idea behind an asymmetric scheme is as follows. First the 
buyer commits to some secret. Then merchant and buyer engage in a secure 
two-party protocol (henceforth called APri), at the end of which the buyer has 
obtained a copy of the good with her secret and some serial number (chosen by 
the merchant) embedded, whereas the merchant obtains the buyer’s signature 
on a text describing their deal and on a commitment to the buyer’s secret. 
Later, when the merchant finds an illegally distributed copy, he should be able 
to extract one of the colluding buyers’ secret and the serial number from that 
copy. Being able to produce a buyer’s secret will presumably convince a judge 
of her guilt. This approach is proposed by Pfitzmann and Schunter [12] for use 
with the code A> i n which case the protocol APri is reasonably efficient. However, 
when used with A, the protocol APri is rendered prohibitively inefficient with 
this approach. 
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Pfitzmann and Waidner [14] solve this problem as follows (Biehl and Meyer [1] 
independently proposed a similar solution): During protocol APri, merchant and 
buyer construct on the fly a code similar to A, that is, they together choose 
L random codewords w\, . . . ,wl from To such that the first half of each Wi 
consists of bits chosen by the merchant (but not known to the buyer) and the 
second half of consists of bits chosen by the buyer (of which the merchant gets to 
know the only commitments (7;). At the end of the protocol, the buyer obtains a 
copy of the digital good with the codewords Wi,. ■ ■ ,wl embedded in it, whereas 
the merchant gets commitments C±, . . . , Cl of the parts the buyer chose. When 
finding an illegally distributed copy, the merchant extracts the embedded word, 
and then can use a similar decoding strategy as the one described earlier for A 
(restricted to the parts of the codewords known to him). Thus he will by able 
to identify one of the colluding buyers and also learn about L/c of the values 
committed to by Ci, . . . , Cl of the identified colluder and hence prove her guilt. 

All these schemes have the property that the judge will not be able to tell 
on her or his own whether the commitments indeed contain the values that 
the merchant presents (this is a property of every secure commitment scheme). 
Therefore, the accused buyer must take part in the trial (which seems a natural 
requirement) and will be found guilty only if she is not able to prove that most 
of her commitments do not contain the value presented by the merchant. This 
is called a three-party trial [14]. 

Subsequently, Pfitzmann and Waidner [13] improve on this and exhibit a new 
asymmetric fingerprinting scheme that allows two-party trials. This scheme has 
the property that the merchant can extract all secret bits of one of the colluding 
buyers. This is achieved by using an error and erasure-correcting code (EECC) on 
top of the scheme described in the previous paragraph [14]. In addition, the buyer 
now also signs the result of some one-way function applied to her secret bits, 
and thus the judge will be able to verify whether the merchant indeed presents 
a malicious buyer’s secret bits by testing whether these bits are the function’s 
pre-image of the value the buyer signed. Hence a trial could be held without 
the accused buyer. The price for this improvement is that the use of the EEEC 
increases significantly the number of bits that need to be embedded because the 
code must be able to handle a large number of erasures. To give a rough idea 
of this increase, in this scheme the underlying code To must have n = 0(l)c 2 £ 
codewords, whereas it is n = 0(l)c in the one described previously [14], where 
c is the size of the tolerated collusion and l is the bit length of the buyer’s 
(whole) secret to be embedded. (Recall that the bit length of codewords from A 
is polynomial in n.) However, the purchase protocol for this new scheme can be 
realized quite efficiently [11]. Finally, we note that this asymmetric fingerprinting 
scheme in fact realizes the two procedures Emb and Rec of Definition 2, thus 
allowing the construction of an anonymous fingerprinting scheme as we will see. 


4.3 Anonymous Fingerprinting 

Anonymous fingerprinting takes asymmetric fingerprinting one step further in 
that the merchant no longer gets to know an honest buyer’s identity. Of course, 
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if the merchant finds an illegally distributed copy, he must nevertheless be able 
to retrieve the identity of a malicious buyer. 

Building on the asymmetric fingerprinting scheme proposed in the same pa- 
per, Pfitzmann and Waidner [13] construct an anonymous fingerprinting scheme 
as follows. They introduce an additional party, a registration center, at which 
a buyer has to register beforehand under her real identity. To do so, the buyer 
chooses a pseudonym and a public/secret key pair of any signature scheme and 
receives a certificate for the public key and pseudonym. When purchasing some 
digital good from the merchant, the buyer commits to the certificate, the public 
key, the pseudonym, and a signature under this public key on a text describing 
their deal and sends these commitments to the merchant. She then proves to 
the merchant (in zero knowledge) that what is contained in the commitment is 
sound. Upon this, the two parties use the embedding protocol Emb as realized 
by the asymmetric scheme [13] described last in the previous section. As a result, 
the buyer obtains a copy with all the committed information embedded into it, 
whereas the merchant learns nothing. Apart from the commitment, the merchant 
obtains no information about the buyer during the transaction, but is assured 
that if he later finds an illegally distributed copy he will obtain all identifying 
information. However, the only known realization of this approach requires gen- 
eral zero-knowledge proof techniques, which are rather inefficient and thus the 
resulting anonymous fingerprinting scheme is considered an existence result [13]. 

Pfitzmann and Sadeghi [11] replace this general construction by an explicit 
and efficient one derived from the digital payment system by Brands [4]. Coins in 
that payment system are anonymous, but contain some identifying information 
that can be extracted as soon as a user spends a coin more than once (and 
only then). This information will then allow the bank to obtain the double- 
spender’s identity. Pfitzmann and Sadeghi exploit this property as follows. The 
registration center plays the role of the bank and issues anonymous coins to 
registering buyers. Then, when purchasing some digital good, the buyer presents 
such a coin to the merchant. If the coin is valid, the merchant will be convinced 
that it contains information that will allow the registration center to retrieve 
the buyer’s identity. Finally, they use the asymmetric fingerprinting scheme [13] 
such that the identifying information contained in the coin will be embedded 
in the sold copy. Owing to the algebraic properties of the payment system, the 
resulting protocol is quite efficient. However, two disadvantages remain: (1) a 
buyer must register with the center before each purchase and (2) the merchant 
must contact the center to learn the identity of a malicious buyer. 

In the following section we provide another replacement for the general con- 
struction by Pfitzmann and Waidner [13] that uses a group signature scheme, is 
efficient, and overcomes these two restrictions. That is, our construction allows 
the merchant to directly identify the buyer of an illegally distributed copy and 
the buyer needs to register only once (or even not at all, depending on the kind 
of group signature scheme used, as we shall see). 
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5 Anonymous Fingerprinting Using Group Signatures 

In this section we show how the asymmetric fingerprinting scheme [13] and any 
suitable group signature scheme can be combined to achieve an anonymous fin- 
gerprinting scheme. Suitable means that the key setup of the revocation manager 
can run after the registration of group members. This is true for many known 
group signature schemes (e.g., [5,7,10]). 

The idea underlying our construction is that the registration center in the 
anonymous fingerprinting scheme plays the role of the membership manager in 
the group signature scheme. Every user that registers at the center then becomes 
a member of the group in the group signature scheme, i.e., the group consists of 
all registered buyers. When a user wants to buy some digital good Po, he first runs 
the group signature scheme’s key-generation protocol for the revocation manager 
and gets a key pair, say yn and xr. Then the buyer signs a document describing 
the deal using the group signature scheme, where %)r is used as the revocation 
manager’s public key. Note that a different revocation manager’s key pair is used 
for every instance of the purchase protocol. Finally, the merchant and the buyer 
carry out the asymmetric fingerprinting protocol with respect to xr, i.e., such 
that xr is embedded into Po- Whenever the merchant obtains on an (illegally 
distributed) copy P, he can extract 2 xr — the secret key corresponding the yR. 
This puts him into the position of the revocation manager for the instance of 
the group signature scheme that used yR, and hence he can revoke the buyer’s 
anonymity and identify her. 

More formally, our anonymous fingerprinting scheme is as follows. Let 
(GKG-M, GKG-R, GReg, GSig, GVer, GTrace) be a suitable group signature scheme 
and (Emb, Rec) be an embedding protocol and a recovery algorithm for a com- 
mitment scheme Com as provided by the asymmetric fingerprinting scheme [13]. 
Let Po denote the digital good for sale. 

FKG-RC: The registration center runs GKG-MM to get the key pair (y M , %) and 
publishes yM- 

FReg: The center and the buyer run (GReg-M, GReg-U). The buyer gets yu and 
xu- The center gets and stores IDu and yu- 
FPrint: Let m be the text that describes the deal. The buyer first runs GKG-R to 
obtain a key pair (yR, xr), signs m by computing a := GSig(t/[/, (yR, Pm), rn) , 
and sends the merchant o, yR, and y = Com(xR). The buyer proves to the 
merchant that y indeed commits to the secret key corresponding to ijr. The 
merchant verifies a using GVer and, if it was successful, the two parties engage 
in the protocol Emb, where the merchant’s input is Po and y, the buyer’s input 
is xr and y, and the buyer’s output is a copy Pr of Po- 
FRec: Let P be a copy of Po produced by at most c dishonest buyers. Running Rec 
on P, the merchant obtains some xr. This allows him to compute yR and find 
the group signature o in his database. Running GTra ce(xR,(yR,yM),Tn,a), 

2 Here, we assume that fewer than c buyers colluded to generate the distributed copy. 
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the merchant learns the identity of one of the buyers in the collusion that 
produced P. 


Theorem 1. Given a secure group signature scheme where the key setup of 
the revocation manager can he run after the registration of group members and 
a secure and collusion-resistant embedding method, the above construction is a 
secure anonymous asymmetric fingerprinting scheme. 

Proof. Correctness: By inspection. 

Anonymity and unlinkability: All information the merchant obtains during a pur- 
chase is a group signature on a message that describes the deal. Owing to the 
properties of the embedding scheme, the merchant gets no information about 
the secret key xr corresponding to yR. Because group signatures are anony- 
mous and unlinkable for everybody but the one knowing xr, purchases are 
anonymous and unlinkable. 

Protection of innocent buyers: In order to frame an innocent buyer a coalition 
would either have to produce a group signature with respect to some public 
key y' R they can choose, or they would have to come up with a fingerprinted 
copy containing the secret key for some yR that the buyer used in a purchase. 
The first attack is prevented by the “no-framing” property of the group signa- 
ture scheme. The second attack is infeasible due to zero-knowledge property 
of the embedding protocol. 

Revocability and collusion resistance: Given the collusion resistance and the cor- 
rectness of the embedding scheme, the merchant can recover at least the secret 
key for one of the pr’s that was used by a member of the collusion if it contains 
fewer than c buyers. Knowing the secret key of some yR places the merchant 
in the position of the revocation manager in the group signature scheme and 
hence he can revoke the anonymity of the buyer/group member. 


5.1 Discussion and Comparison with Previous Solutions 

It is easy to see that buyers in our anonymous fingerprinting scheme need to 
register only once and can then buy many goods without these transactions being 
linkable. Whether the merchant is able to retrieve the identity of a malicious 
buyer on his own depends on the group signature scheme chosen. We discuss 
this briefly as well as other properties the fingerprinting scheme will have as a 
function of the type of group signature scheme that is applied. 

Most newer group signature schemes (including [6,7]) can be used for our 
construction. These schemes have the property that the group’s public key and 
the length of signature are independent of the group’s size. A signature in those 
schemes typically contains a randomized encryption of identifying information 
under the revocation manager’s public key. If a group signature scheme is used 
that allows the revocation manager to trace a signature without any interaction 
with the membership manager, it follows that the merchant need not interact 
with the registration center to identify a malicious buyer. This is possible for 
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instance with the recent group signature scheme by Camenisch and Michels [6] . 
There, a group member chooses her own RSA modulus that upon signing is 
encrypted by the revocation manager’s public key. Thus, when the membership 
manager (aka registration center) enforces that the most significant bits are set to 
the identity of the group member (aka buyer), a direct identification is possible. 
The efficiency of the resulting fingerprinting scheme scheme is governed by the 
embedding protocol Emb. Because this is the same for the scheme by Pfitzmann 
and Sadeghi [11], the two schemes have about the same efficiency. Thus, the 
main advantage of our scheme is that is overcomes the latter’s drawback that 
a buyer must register prior to each purchase and that the merchant needs to 
contact the registration center to identify a malicious buyer. 

If we apply the group signature scheme described in [5] and assume a public 
key infrastructure, we do not even need a registration center. This group signa- 
ture scheme works for any semantically secure public key encryption scheme for 
which the revocation manager can be used and the buyer can have any public 
key signature or identification scheme that fulfills certain properties [5]. This 
includes for instance the RSA, DSS, or Schnorr signature schemes. The group’s 
public key in this scheme consists of a list of users’ public keys and certificates 
on them. Thus, using this scheme, a buyer can simply present the merchant with 
any list of public keys and certificates among which she would like to hide and 
chooses some public and secret key of an encryption scheme. Then, using the 
group signature scheme, the buyer signs the purchase contract and engages with 
the merchant in protocol FPrint. The resulting fingerprinting scheme will not 
need a registration center at all and the merchant is able to identify a malicious 
buyer on his own. However, the merchant needs to store the list of all the public 
keys and certificates the buyer presents as well as the group signature, which is 
about the same size as this list. As long as the number of public keys presented 
by the buyer is not too large (i.e., much smaller than the number of bits of the 
sold good), the scheme’s efficiency is governed by the embedding protocol Emb. 

6 Replacing Error and Erasure Correction by TTPs 

As described in Section 4, the asymmetric fingerprinting scheme [13] underlying 
our (and all other known) anonymous fingerprinting scheme uses an error and 
erasure-correcting code to guarantee the full recovery of one of the colluders’ 
committed secret from a found copy. As mentioned earlier, this error and erasure 
correction significantly increases the number of bits that ultimately need to be 
embedded. 

To be able to base our anonymous fingerprinting scheme on the more effi- 
cient asymmetric fingerprinting schemes [1,14] and thereby circumvent error and 
erasure correction, we extend the model by a trusted third party (TTP). This 
TTP will be responsible for identifying malicious buyers. Of course, the TTP 
must not be involved in normal operations but only in the case that it comes to 
a trial. Moreover, the trust to be put in the TTP shall be minimal, i.e., buyers 
need to trust the TTP only that it does not reveal identities at will and the 
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merchant needs to trust only that the TTP cooperates for identifying malicious 
players. Other than that, the TTP is not trusted, e.g., a coalition of the TTP 
and the merchant must not be able to frame an honest buyer. Serving as a TTP 
could for instance the judge who has to take part in the trial anyway. To reduce 
the risk of fraudulent behavior, the TTP could be distributed (techniques for 
this are standard). 

The general idea for our scheme with a TTP is to use the group signature 
scheme in the way originally conceived: the TTP plays the role of the revocation 
manager and the role of the membership manager is assumed by the registra- 
tion center. Then, we use one of the asymmetric fingerprinting schemes [1,14] 
but without the buyer identifying herself and with her signature scheme being 
replaced by the group signature scheme. Now, if the merchant finds an illegally 
distributed copy and extracts the embedded information, the trial can take place 
as in the asymmetric scheme with the difference that the TTP must first identify 
the accused buyer via the revocation mechanism of the group signature scheme. 
Thus, we have an anonymous fingerprinting scheme. 

Owing to the three-party-trial nature of efficient asymmetric fingerprinting 
schemes [1,14], the merchant cannot provide evidence to the TTP (aka revocation 
manager) that the buyer he wishes to identify is indeed malicious. A dishonest 
merchant could take advantage of this and learn the identity of an honest buyer 
simply by accusing her. This can be prevented by doubling the length of the 
parts of the L codewords from To that the buyer chooses and then requiring 
the anonymous buyer to verifiably encrypt (see, e.g., [5]) the first half of each of 
her (secret) parts under the TTP’s public key. Then, the merchant stores these 
encryptions as part of his transcript. The rest of the scheme remains unchanged. 
Later, when finding an illegally distributed copy, extracting the embedded in- 
formation and thereby linking the copy to a purchase transcript, the merchant 
sends the transcript together with the first half of the extracted buyer parts of 
codewords to the TTP. Receiving this, the TTP decrypts the verifiable encryp- 
tions and compares the result with the corresponding parts that the merchant 
claims to have extracted from the copy. If most of these match (the merchant 
must be allowed a certain error rate, see [1,14]), the TTP reveals the identity of 
the buyer (who can then be taken to court); otherwise the TTP refuses. After 
finding out the identity of one of the colluders, the merchant can take her to 
court as before. 

It is easy to see that, as long as the TTP is honest, the merchant is guaranteed 
to learn the identity of a malicious buyer, whereas an honest buyer’s anonymity is 
protected. Finally, the probability that a collusion of the TTP and the merchant 
can frame a buyer is the same as for the merchant in the underlying asymmetric 
scheme. With respect to efficiency, the number of bits that are embedded is at 
most a factor of 2 greater for the original asymmetric scheme. 

We briefly describe how a TTP could also be used to achieve an asymmetric 
fingerprinting scheme with a two-party trial. The drawback of the asymmetric 
fingerprinting schemes [1,14] with a three-party trial is that a (malicious) mer- 
chant can accuse any buyer of misconduct, causing the buyer the inconvenience 
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of going to court to prove her innocence. This is because in these schemes, it 
is not possible for the judge to check whether the evidence provided by the 
merchant is real. Thus the judge must always start a trial. 

This can be overcome by using a TTP (which could be the judge himself) in 
the same way as described earlier in this section, neglecting the group signature 
scheme entirely. This results in an asymmetric fingerprinting scheme where the 
judge could use the TTP to check the evidence before opening a trial. Hence, 
a merchant can no longer accuse an honest buyer, as long as the TTP remains 
honest. Moreover, if the buyer trusts the TTP, then she can also discard her 
purchase transcript. 
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Abstract. We introduce weaker models for non- interactive zero knowl- 
edge, in which the dealer is not restricted to deal a truly random string 
and may also have access to the input to the protocol (i.e. the state- 
ment to prove). We show in these models a non- interactive statistical 
zero-knowledge proof for every language that has (interactive) statisti- 
cal zero-knowledge proof, and a computational zero-knowledge proof for 
every language in NP. We also show how to change the latter proof 
system to fit the model of non-interactive computational zero-knowledge 
with preprocessing to improve existing results in term of the number of 
bit commitments that are required for the protocol to work. 


1 Introduction 

When zero-knowledge proofs were first introduced by Goldwasser, Micali and 
Rackoff [10] it seemed that interaction played a crucial role in those proof sys- 
tems. Indeed zero-knowledge was shown to exist only for languages in BPP in 
the most straightforward non-interactive model ([12]). Blum, Feldman and Mi- 
cali [1] showed however that if we change the model slightly then zero-knowledge 
can be achieved for languages not known to be trivial. In their model they as- 
sumed that both prover and verifier are dealt with a truly random string called 
the reference string. The proof consists of one message sent from the prover to 
the verifier and then the verifier decides whether to accept or reject according 
to this message, the input and the reference string. 

Non- interactive zero- knowledge proofs are not only communication efficient, they 
also have several applications not offered by interactive zero-knowledge proofs. 
They have been used in applications like digital signature schemes secure against 
adaptive chosen message attack ([2]), public key cryptosystems secure against 
chosen cipher text attack ([5], [18]), and memoryless key distributions ([2]). 
Two notions of non-interactive zero-knowledge proofs have been studied: sta- 
tistical zero-knowledge where the distribution over the real protocol is statisti- 
cally close to the distribution induced by the simulator, and computational zero- 
knowledge where these two distributions are computationally indistinguishable. 
Statistical zero-knowledge. The study of non-interactive statistical zero- 
knowledge has been recently initiated by [6]. They showed a complete promise 
problem for the class of languages that have non-interactive statistical zero- 
knowledge proofs (denoted NISZK). They were followed by [14] who studied 
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the relationships between the class of languages that have interactive statistical 
zero-knowledge proofs (denoted SZK) and NISZK. They showed conditions 
under which these two classes are equal. In particular that if NISZK is closed 
under complementation then NISZK = SZK. 

Computational zero-knowledge. Blum et. al ([1]) showed that every lan- 
guage in NP has a non-interactive computational zero-knowledge proof based 
on a number theoretic assumption. Since then various researchers improved this 
result by both relaxing the assumptions needed and making the proofs more 
efficient in term of the number of committed bits ([3], [4], [8], [17]). The most 
recent results are based on the assumption that one-way permutations exists. In 
[7] a weaker model was introduced called non-interactive zero-knowledge with 
preprocessing. They showed that every language in NP has a proof system in 
this model based on the assumption that one-way functions exists. 

Our work. In this paper we investigate relaxed versions of the non- interactive 
zero-knowledge with random reference string model. Specifically, we consider 
models in which the dealer (we refer to the dealer as the entity that provides 
the reference string to the protocol) is not restricted to deal a string of inde- 
pendent unbiased coin flips to the prover and the verifier (a private coins dealer 
rather than a public coins one that can only publish his coins flips). Two models 
are considered, in the first, the reference string is a sample from a distribution 
that can be sampled efficiently. In the second model, this distribution can also 
depend on the input to the protocol. 

For statistical zero-knowledge we show that the class of languages that have 
non-interactive statistical zero-knowledge proof system with a (polynomial-time) 
dealer that has access to the input equals to the class SZK. This result not 
only gives a new characterization of the class SZK but it also shows that if 
the dealer is given sufficient abilities (i.e. access to the input and the ability to 
compute) then every language in SZK has a communication efficient statistical 
zero- knowledge proof (with a reference string). In the traditional model of statis- 
tical zero- knowledge, the known generic protocols for SZK require polynomial 
number of communication rounds ([13]). 

For computational zero- knowledge we show for every language in NP a non- 
interactive zero-knowledge proof system with a dealer that can make polynomial- 
time computations but does not have access to the input. The proof has perfect 
completeness, perfect soundness, and it is based on the weakest cryptographic 
assumption of the existence of one-way functions. We then show how this proof 
can be changed to fit the non-interactive zero-knowledge with preprocessing 
model, to improve (in term of the number of bit commitments) a protocol by 
[7]. We also overview some known applications of non-interactive zero-knowledge 
and check what additional assumptions or changes should be done (if at all) in 
order to replace the random reference string model with the relaxed models in 
these applications. In particular we argue that the digital signature scheme of 
[2] which is secure against adaptive chosen message attack can be done with our 
model. 
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2 Definitions 

Let us first recall the definition of non-interactive zero-knowledge with a random 
reference string ([1]). 

Definition 1. A non-interactive computational (resp. statistical) zero- knowl- 
edge proof system with a random reference string for a language L is defined by 
a computationally unbounded TM P (the prover), a probabilistic polynomial- 
time TM V (the verifier), a probabilistic polynomial-time TM S (the simulator) 
and a polynomial q. On an input x both P and V have access to a shared 
random reference string cr, where a £r (0, l}'dkl). The proof consists of one 
message sent from P to V, and then V based on x, a and this message either 
accepts or rejects. The following should hold: 

1. (completeness) if x £ L then Pr(V(x, a, P(x, a)) = accept) > 2/3 

2. (soundness) if x £ L then for every prover’s strategy P* , Pr(V (x, a, P* (x, a)) 
= accept ) <1/3 

3. (zero- knowledge) if x £ L then the following two distributions are compu- 
tationally indistinguishable (resp. have statistical difference bounded by a 
negligible function): 

(a) (a,P(x,a)) 

(b) S(x) 

We define now relaxed versions of the shared random reference string model. 
The first relaxation we introduce is that the shared reference string need not be 
truly random, we only require that it can be sampled in polynomial-time. 
Definition 2. A non-interactive computational (resp. statistical) zero-knowl- 
edge proof system with a protocol-dependent reference string for a language L 
is defined by P, V, S, and q as above, and the reference string a is /(r), where 
/ is a polynomial-time computable function, and r £r {0, 1 }'^ ). 

The second relaxation is that the shared reference string can not only be non- 
uniformly distributed, but it can also depend on the input. 

Definition 3. A non-interactive computational (resp. statistical) zero-knowl- 
edge proof system with an input-dependent reference string for a language L is 
defined by P, V, S, and q as above, and the reference string a is f(x,r), where 
/ is a polynomial-time computable function, x is the input to the protocol, and 

re fl {0,l} ,(|,|) - 

Note that non-interactive zero-knowledge under all the definitions is closed un- 
der parallel repetitions, therefore the error bound can be brought down to be 
exponentially small in the length of the input. 

We denote by NICZK (resp. NISZK), Protocol — Dependent NICZK (resp. 
Protocol— Dependent NISZK), and Input— Dependent NICZK (resp. Input- 
Dependent NISZK) the class of languages possessing a non-interactive compu- 
tational (resp. statistical) zero-knowledge proof system with a shared random, 
protocol-dependent and input-dependent string respectively. SZK is the class 
of all the languages that have statistical-zero knowledge proof system as defined 
by [10]. 
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3 Statistical Zero-Knowledge 

In this section we show that if we relax the model of non-interactive proof systems 
then every language in SZK has a proof system in this relaxed model: 
Theorem 4. SZK = Input — Dependent NISZK. 

3.1 Motivation 

It is an interesting question to understand how much more can be proven in 
non-interactive statistical zero-knowledge as we gradually increase the power of 
the dealer. By referring to the power of the dealer we mean the type of compu- 
tations he can do, and does he have access to the input (the statement to prove). 
Clearly, if the dealer is computationally unbounded and has access to the input 
then everything computable can be proven non-interactively with perfect zero- 
knowledge, by using the dealer as an unbounded trusted prover that tells the 
verifier whether the statement is correct or not. What happens if we do not give 
the dealer so much power? We can divide the languages into classes according 
to the power of the dealer in the non-interactive statistical-zero knowledge proof 
systems for them. We have the following hierarchy of classes, each one containing 
the class above it: 

- No dealer: this class equals to BPP ([12]). 

- The dealer can just toss coins (a public coins dealer): this is the class NISZK, 
languages not known to be in BPP were shown to be in this class ([6], [14]). 

- The dealer can toss coins and make polynomial-time computations (a private 
coins polynomial-time dealer): this is the class protocol — dependent NISZK. 

- A private coins polynomial-time dealer with access to the input: this is the 
class input — dependent NISZK which equals to SZK (Theorem 4). 

- A private coins unbounded dealer with access to the input: everything com- 
putable is in this class. 

By showing the exact location of SZK in this hierarchy we get a strong con- 
nection between the question of how much interaction is needed for statistical 
zero-knowledge and how much power the dealer must have in non-interactive 
statistical zero-knowledge. Better understanding of this hierarchy can shed light 
on the SZK vs. NISZK question ([14]). 

3.2 Separating Distributions 

An important notion in the proof of theorem 4 will be the statistical difference 
between two distributions. Let us first define the statistical difference and some 
notations concerning it. 

Definition 5. Let X and Y be two distributions (or random variables) over 
a discrete space D. The statistical difference between X and Y, denoted as 
||X-y||is: 

\\X-Y\\ = MAX S G D \Pr{X e S) - Pr{Y e S)\ 
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Through out this paper we consider distributions with “succinct” description, 
i.e. distributions produced by circuits (with multiple output gates) when feeding 
them a uniformly chosen input. We write C when we refer both to the circuit 
itself and to the distribution it induces. We will use the notation x <— C to 
denote that a; is a sample taken from the distribution C, i.e. the output of the 
circuit C when feeding it a uniformly chosen input. 

In our proof of theorem 4 we will use the langauge STATISTICAL-DIFFERENCE 
shown to be complete for the class SZK ([21]), and a “separated” version of this 
language. 

Definition 6. STATISTICAL-DIFFERENCE (SD) is the following promise 
problem: 

SDy = {(D 0 ,D 1 ) : ||D 0 - Dill >2/3} 

SD N = {(D 0 ,D 1 ) : \\D 0 - ^11 <1/3} 

Where (D 0 ,Di) is a pair of distributions with “succinct” description. 

Definition 7. “Separated” STATISTICAL-DIFFERENCE (SD') is the follow- 
ing promise problem: 

SD'y = {(D 0 ,Di) : for x <— D 0 , Pr(x € Range(Di)) < f(n)} 

SD' N = {(D 0 ,D 1 ):\\D 0 -D 1 \\<f(n)} 

Where n= D 0 , Dj and / is a negligible function. 

In other words, a pair of circuits is in SD'y if the probability that a sample 
taken from the first circuit is in the range of the second is negligible, and a pair 
of circuits is in SD' N if the distributions induced by the circuits have a negligible 
statistical difference. Note that SD'y C SDy and SD' y C SDy. 

Our main tool will be the following lemma: 

Lemma 8. SD reduces to SD' . 

Specifically, given a pair of circuits (Dq,D\) there is a polynomial-time com- 
putable function that maps them to a new pair of circuits (Co,Ci) s.t: 

II Aj - Dill > 2/3 — > 1 1 Co - Ci|| < f(n) 
j j A) — Dijj < 1/3 — > for x •*— Co, Pr(x £ Range(C\)) < f(n) 

Where f is a negligible function. 

Sahai and Vadhan showed a reduction from SD to SD ([22]). The same reduction 
accomplishes Lemma 8, although it is implicit in their proof. We do not give the 
proof here and refer the reader to [22] . 


3.3 Proof of the Main Theorem 
Claim 9. SZK C Input — Dependent NISZK 

Proof. SD is a complete promise problem for the class SZK ([21]) and SD 
reduces to SD' (Lemma 8), therefore it is enough to show an input-dependent 
non-interactive statistical zero-knowledge proof system for the language SD'. 
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Let l be the number of input gates of D 0 and Di (w.l.o.g they have the same 
number of input gates) . 

The proof system: 

Common input: (Do,Di) 

Shared reference string: a = Dq ( r ) , where r Gr {0, l} 1 
The protocol: 

1. P sends r' G {0, 1}*. 

2. V accepts if and only if D\ (r 1 ) = a 

Completeness: Recall that (Do,Di) G SD'y means that ||Do — Di|| < f(n) 
(/ is a negligible function). Let k be the number of output gates of D 0 and Di 
(again w.l.o.g this number is the same for Do and D\). Then by the definition 
of statistical difference, for x <— Do, y <— D\, and for every S C {0, l} fc : 
\Pr(xGS)-Pr(yGS)\<f(n) 

Let T = Range(Do) \ Range(Di), x «— Dq and y <— D\. Then the following 
holds: 

f(n) > | Pr(x GT)- Pr(y GT)\ = Pr(x G T) 

In other words the probability that a sample taken from Do is not in the range 
of Di is at most f(n). Therefore the probability that cr is in the range of Di 
is at least 1 — f(n) and with this probability (over r) the (computationally 
unbounded) prover will be able to find r' s.t D\ (r 1 ) = a. 

Soundness: [Do,D\) G SD'y means that the probability that a sample taken 
from Do is in the range of D\ is at most f(n), so the probability that cr is not 
in the range of D\ is at least 1 — f(n). In this case there is no r' s.t D\{r') = cr 
and the prover will fail. 

Simulation: 

S : Choose r Gr {0, 1}*, output (Di(r),r). 

If (Do,Di) G SD'y then the distributions Dq, Di has statistical difference at 
most /(n) therefore a and the first message of the simulator has statistical 
difference f(n) at the most. The second message both in the protocol and the 
simulator is determined by the first message (the shared reference string) to be 
a random input (to Ci) in the preimage of the first message. So for a given first 
message, the second message has the same distribution in the protocol and the 
simulator. □ 

Claim 10. SZK D Input — Dependent NISZK 

Proof. : We will show a reduction from any language in Input — Dependent 
NISZK to the language SD. As SD is complete for SZK, and SZK is closed 
under complementation [19] this will suffice to prove the claim. Let ( P , V ) be 
an input-dependent NISZK protocol for a language L with exponentially small 
error bound. Let S be the simulator for the protocol, / the polynomial-time 
computable function that produces the reference string and q the polynomial 
(in the input length) that defines the length of the input to /. Define /j to be 
the negligible function bounding the statistical difference between the outputs 
of (P, V ) and S. For an input x, define the following pair of distributions: 
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D 0 : choose r {0, output f(x,r). 

D\ : run the simulator S on x to obtain ( a,p ), if V (x. a. p) = 'accept' output a, 
otherwise output Q q< ^ x ^ (here Q q( \ x \) is canonic for a string outside the range of /). 

First we show that if x £ L then ||d?o — -Dill < 1/3. Let n = |x|, the statis- 
tical difference between the first message of the simulator and the real reference 
string is bounded by pin). Also, Pr((P. V)(x) = 'accept') > 1 — 2~ n , therefore 
with probability 1 — 2~ n — p(n) D\ will output the first message of the simulator 
and thus ||D 0 — Di|| < 2 p(n) + 2~ n . 

Next we show that if a ; £ L then | Dq ~ D-i\ \ > 2/3. Define: 

T = {a :3r € {0, and 3 p s.t f(x,r) = a and V(x,a,p) = 'accept'} 

That is, T is the set of all reference strings for which there exist a proof that will 
convince V. Since the soundness error is bounded by 2~ n , Pr re { 01 y g (.n)(f(x,r) e 
T ) < 2~ n . Since Di only outputs <r e T or 0 9(n) , and D 0 outputs a real reference 
string, ||D 0 — £>i|| > 1 — 2 □ 

4 Computational Zero-Knowledge 

4.1 A Protocol-Dependent NICZK Proof for NP 

In this section we show a protocol-dependent non-interactive CZK proof system 
for every language in NP with perfect completeness and perfect soundness. It 
is based on the assumption that one-way functions exists. The proof system is 
for the N P-complete language 3 — COL of all the 3-colorable graphs. 

In our protocol we will make use of characters. Characters were used by [17] 
in their non-interactive zero-knowledge proof for NP in the random reference 
string model. A character is an object that can have one of four possible values: 
1, 2, 3 or WC (wild card). The value of a character is unknown to the verifier 
unless the prover reveals it for him. It can be revealed according to the following 
rules: if the value is 1, 2, or 3 then it can only be revealed to this value. If the 
value is WC then it can either be revealed to 1, 2 or 3 (what ever the prover 
chooses). 

Characters can be implemented in the following way: a character will be the 
commitment on a triplet of bits that can have one of the following values: 001 (the 
character 1), 010 (the character 2), 100 (the character 3), or 111 (WC). The se- 
curity of the bit-commitment scheme ensures that the value of a character is un- 
known to the polynomial-time verifier, unless the (computationally unbounded) 
prover reveals it for him. To reveal the value of a character, the prover opens 
one bit from the triplet and the verifier checks that the value of this bit is 1. 
The location of the revealed bit determines the value of the character. Clearly, 
(1, 2, 3} characters can only be revealed to their real value and WC can be re- 
vealed to any value. 

Next we define a test to check whether two nodes of an edge in the graph are 
colored in different colors. The test will be conducted in the following way: with 
each node we associate a triplet of characters. Two of them are WC and one 
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is a non-WC character, thus we have two non-WC characters associated with 
the edge (one in each node). We make sure that these two characters have dif- 
ferent values (that is, the dealer prepares them in this manner). We define the 
color of a node to be the position of the non-WC character within the triplet of 
characters associated with it. We say that two such triplets of characters are 
consistent if they are representing the same color. By reordering the characters 
in each triplet, the prover can determine the colors of the two nodes. In order 
to prove that the two nodes were given different colors, the prover will reveal 
the two triplets of characters, and the verifier will accept if and only if the two 
triplets are the same permutation of {1, 2, 3}. We call this test the inconsistency 
test. We prove now some properties of this test. 

Claim 11 (completeness). If the two nodes were given different colors then 
the prover will always pass the test. 

Proof. The fact that the two nodes have two different colors means that the 
two non-WC characters are in different positions in the triplets associated with 
the nodes. That is, if we align the two triplets, against each non-WC character 
in one triplet there will be a WC character in the other, and in one position 
there will be a WC against a WC. The prover will reveal each WC character 
which is aligned against a non-WC character to the value of this character. The 
two WC characters which are aligned against each other will be revealed to the 
value which is not used in the other positions in the triplets (recall that the two 
non-WC characters have different values, therefore this value is determined). 
So in each position the same value will be revealed in the two triplets and each 
value in {1, 2,3} will be revealed exactly once. □ 

Claim 12 (soundness). If the two nodes were given the same color then the 
prover will always fail the test. 

Proof. The fact that the two nodes have the same color means that if we align 
the two triplets, the two non-WC characters will be aligned against each other. 
Since they have two different values and the prover can not reveal them to any 
other value, the verifier will always see different values in this position in the 
two triplets and will reject the test. □ 


Claim 13 ( “zero- knowledge” ) . If the values of the non-WC characters are 
chosen uniformly (with the restriction that they have different values) then if 
the nodes were given different colors, the triplets will be revealed to a random 
permutation o/{l,2,3} (with probability 1/6 for each permutation). 

Proof. Assume w.l.o.g that the first node receives the color 1 (the non-WC 
character is in the first position), the second receives the color 2, and we first 
choose the value of the first character with probability 1/3 for each possible 
value and then we choose the value of the second character with probability 
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1/2 for each remaining possible value. Clearly each pair can be chosen with 
probability 1/6. After the values of the non-WC characters are chosen, the per- 
mutation is determined. This is because each WC character which is aligned 
against a non-WC character must be revealed to its value, and the value of 
the WC characters which are aligned against each other is determined to be 
the value which was not chosen for the two non-WC characters. Furthermore, 
each choice of values for the non-WC characters defines a different permutation. 
Therefore each permutation of {1, 2,3} can be revealed with probability 1/6. □ 

We can now present a protocol-dependent non-interactive computational zero- 
knowledge proof system for the language 3 — COL: 

The proof system: 

Input: A graph G = (V,E) (denote n = |V|). 

Reference string: An independently and randomly chosen inconsistency tests for 
each one of the edges of the complete graph K n 1 , where for each node all the 
triplets of characters associated with it are consistent. In other words, with each 
node we associate a (n — 1) x 3 matrix of characters, where two columns contains 
only WC characters and one contains only non-WC characters. For each matrix 
the position of the non-WC column is chosen randomly and independently. 

The proof: 

1 . P’s proof is divided into two stages: 

(a) For each node in V, P swaps two columns of the matrix associated with 
it to create a new matrix. 

(b) For each edge in E, P performs the inconsistency test associated with it 
(with the new matrices from stage 1 (a)). 

2. V accepts if and only if P passes all the inconsistency tests. 

Proof of correctness: 

Completeness: Let 7 be a 3-coloring of G. For each node there is a (n — 1) x 3 
matrix of characters associated with it. With each such matrix we associate a 
color according to the position of the non-WC column. In stage 1(a), for each 
node, if the matrix does not represent the color of the node according to 7 , P 
swaps the non-WC column with a WC one so that the new matrix will represent 
the right color. If the matrix does represent the right color, P swaps the two 
WC columns. Since 7 is a legal 3-coloring of G, after stage 1(a) all the matrices 
of adjacent nodes are inconsistent and P will always pass all the inconsistency 
tests (claim 11 ). 

Soundness: The fact that there is no legal 3-coloring of G means that it is 
impossible to bring the matrices to a state where for every two adjacent nodes 
the matrices associated with them are inconsistent (otherwise the state of the 
matrices will define a valid 3-coloring). Therefore for at least one edge in E, P 
will always fail the inconsistency test (claim 12 ). 


Note that in the protocol-dependent model the dealer does not have access to the 
input, therefore he must prepare an inconsistency test for every possible edge. 
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Simulation: 

1. (simulation of the reference string) Associate with each node a (n — 1) x 3 
matrix of WC characters. This is done by committing on 9n(n — 1) bits of 
value 1 . 

2. (simulation of stage 1(a)) For each node in V, choose randomly two columns 
in the matrix associated with it and swap them. 

3. (simulation of stage 1(b)) For each e £ E, choose a random permutation of 
{1, 2,3} and reveal the two triplets of characters associated with e (i.e. the 
simulation of the inconsistency test for e) to be this permutation. 

The security property of the bit-commitment scheme ensures that the real ref- 
erence string and the simulated one are computationally indistinguishable. 

Let 7 be a 3-coloring of G. Let c e {1,2,3} be the color of v g V according 
to 7 . Let A v be the matrix associated with v in the real proof. The position of 
the non-WC column in A v is chosen randomly. If A v represents the color c, and 
this happens with probability 1/3, then the two WC columns (the columns that 
do not represent c) will be swapped in stage 1(a). Otherwise A v represents one 
of the other two colors, with probability 1 /3 for each one, and then the column 
that represents c will be swapped with the non-WC column. So in stage 1(a) the 
two columns that will be swapped in A v are random and since the position of 
the non-WC column was chosen independently for all the matrices this is also 
the case for all the matrices together. 

After all the matrices were brought in stage 1(a) to a state where every two ad- 
jacent nodes have inconsistent matrices, in every inconsistency test in stage 1 (b) 
a random permutation of {1,2,3} will be revealed (claim 13). Since the values 
for the inconsistency tests were chosen independently, all the permutations that 
will be revealed in stage 1 (b) will be random and independent. □ 

Remark: The proof system presented above requires that the reference string 
will contain 0(n 2 ) bit commitments. The reason for this is that the structure 
of the graph is unknown in advance and the dealer must prepare an incon- 
sistency test for each possible edge (i.e. for every edge in the complete graph 
with n nodes). However, if we use a more ’’structured” ./VP-complete problem 
such as the coloring problem on a wrapped de Bruijn graph ([20]), where only 
0(nlogn) local tests are needed we can improve the number of bit-commitments 
to 0(nlogn). A proof system for this problem will be presented in the full version 
of this paper. 


4.2 Non-interactive Proofs with Preprocessing 

The notion of non-interactive zero-knowledge proofs with preprocessing was first 
introduced by [7]. In their model, the proof system is divided into two stages: 
first, before there is a statement to prove, the prover and the verifier execute 
an interactive protocol which ends with both of them agreeing on a common 
reference string. Then, when there is a statement to prove, the prover sends a 
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single message to the verifier, and the latter decides whether to accept or re- 
ject according to the input, the prover’s message, and the reference string. The 
original proof system required that the reference string will contain 0(n 3 ) bit 
commitments to prove that a 3-CNF formula of length n is satisfiable, and it was 
based on the assumption that one-way functions exist. [16] gave a non-interactive 
zero-knowledge proof system with preprocessing that requires less bit commit- 
ments and also has the property that multiple statements can be proven based 
on a single reference string. However, this came at the expense of a stronger 
cryptographic assumption, namely oblivious transfer. 

The protocol-dependent model seems to be close to the non-interactive with pre- 
processing model. In both cases the prover’s message is based on a non-random 
reference string. In the protocol-dependent model, a trusted (polynomial-time) 
dealer provides the reference string and in the preprocessing model the prover 
and the verifier agree on it in advance. Indeed, the proof system we introduced in 
the previous section can be easily changed to work in the preprocessing model. 
To see that, notice that the following language is in NP: 

L = {(s, 1”) : s £ {0,l} poly ( n \ s is a valid reference string for the protocol- 
dependent proof system for 3 — COL (of a graph with n nodes)} 

The proof system (in the preprocessing model) will be: 

Stage 1 (interactive): The prover chooses a reference string in the same way 
the dealer chose it in the protocol-dependent model. Then the prover proves 
interactively and in zero-knowledge that this string is in L. Since L £ NP, such 
a proof exists under the assumption that one-way functions exists ([11]). 

Stage 2 (non-interactive): Continue as in the protocol-dependent model. 

This proof system improves [7] as it is based on the same assumption and it 
requires that the reference string will contain only 0(nlogn ) bit commitments 
to prove a statement of size n. 

4.3 Efficient Provers and Applications 

Note that the protocol in section 4.1 requires that the prover will have com- 
putational power sufficient to reverse the bit commitments of the dealer, i.e. to 
compute the inverse of a one way function. For the protocol to be applicable we 
would like it to work for an efficient prover, that is, a polynomial-time prover 
with an auxiliary input containing a witness for the NP statement. For this we 
will have to change the cryptographic assumption, and instead of the bit com- 
mitment to be based on any one way function we would like it to be based on a 
family of unapproximable trapdoor predicates ([9]). 

The proof system requires now an additional preliminary step: the prover sends 
to the dealer a predicate for which he knows the trapdoor to, and the dealer uses 
it for his bit commitments. Now the prover can reverse the bit commitments, 
and the protocol continues as before. 

Non-interactive zero-knowledge proofs were shown to be useful in many applica- 
tions. For applications where the prover is also the dealer (e.g. digital signature 



440 Danny Gutfreund and Michael Ben-Or 


schemes secure against adaptive chosen message attack [2] and memoryless key 
distribution [2]) the protocol-dependent model will still work. This is because the 
prover will commit on the bits and therefore will be able to open them at a later 
stage. It is in the prover’s best interest that the reference string will be correctly 
prepared. For public key cryptosystems secure against chosen ciphertext attack 
([5], [18]) this is not the situation. The key-generator can not generate the pub- 
lic key (that includes the reference string) without knowing which predicate to 
use for the bit-commitments (the one that the prover knows the trapdoor for). 
Therefore the prover must notify it in advance which predicate to use. This is a 
major drawback because for each prover we will need a different public key. 

5 Concluding Remarks 

We showed that if we assume that the (polynomial-time) dealer has access to 
the input to the protocol as well as private coins then every language that has 
a statistical zero-knowledge proof system also has a non-interactive statistical 
zero-knowledge proof system. It would be very interesting to understand whether 
these assumptions are required for SZK to be done non-interactively. 

In the Computational zero-knowledge setting, we showed an efficient (in term 
of the number of bit-commitments) protocol — dependent NICZK protocol for 
every language in NP. The protocol is based on the assumption of the existence 
of one-way functions (for unbounded provers), or on the assumption of the exis- 
tence of a family of unapproximable trapdoor predicates (for efficient provers). 
We also showed how this model can replace the traditional model in some ap- 
plications such as secure digital signatures. For secure public-key cryptosystems 
the use of our model raises problems, namely that a public-key is generated 
for a particular prover (sender) and can not be used by anyone. If we could 
avoid this problem, we would get a very interesting result, that the use of non- 
interactive zero-knowledge proofs in order to get a public-key cryptosystem that 
is secure against chosen cipher text attack does not impose a stronger crypto- 
graphic assumption than the public-key encryption itself. This is due to [9] who 
showed that the existence of a (semantically secure) public-key cryptosystem is 
equivalent to the existence of a family of unapproximable trapdoor predicates. 
Current use of non-interactive zero-knowledge in the random reference string 
model is based on the stronger assumption that there is a family of trapdoor 
permutations. 
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Abstract. In this paper, we investigate the gap between auxiliary-input 
zero- knowledge (AIZK) and blackbox-simulation zero- knowledge (BSZK). 
It is an interesting open problem whether or not there exists a proto- 
col which achieves AIZK, but not BSZK. We show that the existence of 
such a protocol is closely related to the existence of secure code obfus- 
cators. A code obfuscator is used to convert a code into an equivalent 
one that is difficult to reverse-engineer. This paper provides security def- 
initions of code obfuscation. By their definitions, it is easy to see that 
the existence of the gap implies the existence of a cheating verifier such 
that it is impossible to obfuscate any code of it. Intuitively, this means 
that it is possible to reverse-engineer any code of such a cheating ver- 
ifier. Furthermore, we consider the actual behavior of such a cheating 
verifier. In order to do so, we focus on two special cases in which the 
gap exists: (1) there exists a constant round public-coin AIZK interac- 
tive argument for a language outside of BV V. (2) there exists a 3-round 
secret-coin AIZK interactive argument for a language outside of BV V. 
In the former case, we show that it is impossible to securely obfuscate 
a code of a cheating verifier behaving as a pseudorandom function. A 
similar result is shown also in the latter case. Our results imply that any 
construction of constant round public-coin or 3-round secret-coin AIZK 
arguments for non-trivial languages essentially requires a computational 
assumption with a reverse-engineering property. 


Keywords: Zero-knowledge, code obfuscation, reverse-engineering, interactive 
proof, interactive argument. 

1 Introduction 

In this paper, we investigate the gap between two definitions of zero-knowledge 
(ZK): auxiliary-input zero-knowledge and blackbox-simulation zero-knowledge. 
We will show that the gap is closely related to code obfuscation. 


1.1 Zero-Knowledge 

ZK is one of the most important notions in modern cryptography. The original 
definition of ZK, which we call GMR-ZK, is given in [GMR85] as follows: For 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 443-457, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 



444 Satoshi Hada 


any probabilistic polynomial-time (PPT) cheating verifier, there exists a PPT 
machine (called the simulator) which simulates the interaction, i.e., produces 
a probability distribution which is computationally indistinguishable from the 
distribution of the real interaction between the prover and the cheating veri- 
fier. This definition is not suitable for cryptographic applications since it is not 
closed under sequential composition [GoKr96]. In cryptographic applications, the 
cheating verifier may have some additional a-priori information. However, GMR- 
ZK did not deal with this stronger verifier. In order to overcome this problem, 
Goldreich and Oren introduced an alternative definition called auxiliary-input 
zero-knowledge (AIZK) [GoOr94]. AIZK is a stronger formulation in which the 
simulation requirement is extended to deal with stronger (non-uniform) verifiers, 
namely, verifiers with some additional a-priori information. They showed that 
AIZK is closed under sequential composition. 

The above two definitions only require that, for each cheating verifier, there 
exists a simulator. That is, in both definitions, the simulator is allowed to ex- 
amine the internal state of the cheating verifier. On the other hand, blackbox- 
simulation zero-knowledge (BSZK) requires that the existence of a single univer- 
sal simulator which uses any non-uniform cheating verifier as a blackbox to sim- 
ulate the interaction. That is, the simulator is only allowed to simply observe the 
input/output behavior of the cheating verifier. BSZK is most restrictive among 
three definitions. Nevertheless, almost all known ZK protocols are BSZK 1 . It 
is an interesting open problem whether there exists a protocol which achieves 
AIZK, but not BSZK. 

1.2 Code Obfuscation 

Given a code, how can we make it hard to reverse-engineer it ? This is one 
of major open problems concerning computer practice. Code obfuscation is the 
most viable method for preventing reverse-engineering. There are many heuristic 
and ad-hoc obfuscation techniques for particular programming languages such 
as C, C++, Java and so on [CTL97]. However, to the best of our knowledge, 
no theoretical treatment have been provided so far. In this paper, we provide 
the definitions of secure code obfuscators and show that the existence of secure 
obfuscators for some code is closely related to the gap between AIZK and BSZK. 

Take pseudorandom function ensembles (PRFEs) for example [GGM86]. 
PRFEs are function ensembles that can not be distinguished from truly ran- 
dom functions by any efficient procedure (any adversary) which can get the 
value of the function at arguments of its choice, provided its seed is chosen ran- 
domly. However, the pseudorandomness is guaranteed only when the randomly 
chosen seed is unknown to adversaries. This means that if a code of a PRFE is 
given to an adversary and the seed is embedded into the code, it may no longer 
satisfy the pseudorandomness. This is because some information about the seed 
may be extracted from the given code. A code obfuscator can be used to solve 
this problem. It converts the given code into another code that is functionally 

1 The one exception appeared in [HT98]. See Section 1.3. 
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identical to the original code so that the seed remain unknown to the adversary 
who is allowed to analyze the obfuscated code. 

We sketch a definition of secure code obfuscators from the above point of 
view. We consider code obfuscation for a function ensemble T = {T/lneN such 
that F n = {/ s } se {o i}ia(n) . s is the seed that we want to remain unknown to an 
adversary. A code obfuscator C for T, given a code 7 r(/ s ), produces another code 
denoted by I7(/ s ) that is functionally identical to n(f s ). We want to guarantee 
that the adversary should not gain any information about s given 77 (f s ) when 
s is chosen randomly. That is, we say that C is secure against an adversary A 
if whatever can be gained by A having access to the code II (f s ), can also be 
gained by a PPT machine having only blackbox-access to f s . Roughly speaking, 
this guarantees that A can not reverse-engineer the code II(f s ) produced by C. 
This is formalized based on the simulation paradigm [GM84] [GMR85] [Go99, 
Section 1.2.3]. In Section 3, we discuss defining secure code obfuscators in more 
detail. 

1.3 Motivation and Results 

As described in Section 1.1, it is an interesting open problem whether it holds 
that Cl(BSZK) C Cl(AIZK), where Cl(def) denotes the class of all interactive 
arguments satisfying the requirements of ZK definition def. Hada and Tanaka 
have constructed a 3-round secret-coin AIZK argument for an ATP-complete 
language, that is, they have shown that it holds that Cl(BSZK) c Cl(AIZK) 
unless MTCB'P'P[WT98]. However, their construction requires a non-standard 
computational assumption with a strong reverse-engineering property. Roughly, 
it requires that given any code of any cheating verifier, one can efficiently extract 
the secret-coin used by the cheating verifier while one having only blackbox- 
access to the code can not do it. This paper addresses a question of whether 
the reverse implication holds, i.e., whether some reverse-engineering property is 
essential for the gap between AIZK and BSZK. If it is true then Cl(BSZK) c 
Cl(AIZK) implies some negative result for code obfuscation. The purpose of 
this paper is to give such negative results. 

We discuss the gap between AIZK and BSZK in more detail. We start 
by reviewing the definition of universal simulation zero-knowledge (USZK) in- 
troduced by Oren [Or87]. Oren showed that it is equivalent to AIZK, i.e., 
Cl(USZK) = Cl(AIZK). In the definition of BSZK, given any cheating ver- 
ifier, the simulator is required to output a simulated conversation simply by 
observing input /output behavior of the cheating verifier. On the other hand, 
the definition of USZK allows the simulator to take as input the code of the 
cheating verifier and analyze it. Therefore, we can say that if it holds that 
Cl(BSZK) c Cl(USZK) (equivalent to Cl(BSZK) c Cl(AIZK)), then there 
exists a cheating verifier for which the simulation is possible by analyzing the 
code of it, but impossible by simply observing its input/output behavior. This 
will imply that it is impossible to obfuscate the code of such a cheating ver- 
ifier. Indeed, by our security definition of code obfuscators, if it holds that 
Cl(BSZK) c Cl(USZK) then there exists a cheating verifier (which can be 
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viewed as a function ensemble) for which secure code obfuscation is impossible 
(Theorem 3). However, this does not say anything about the actual behavior of 
such a cheating verifier. 

We focus on the following two statements in order to consider the actual 
behavior of such a cheating verifier: 

Gap pc : There exists a constant round public-coin AIZK argument for a language 
outside of BVV. 

Gap sc : There exists a 3-round secret-coin AIZK argument for a language outside 
of BVV. 

If either statement is true then it holds that Cl(BSZK) c Cl(AIZK). Note 
that the analogous statements regarding BSZK are false [GoKr96] 2 . For each 
statement, we prove impossibility of secure code obfuscation for a specific cheat- 
ing verifier (a specific function ensemble): 

1. If Gapp C is true, then there exists a cheating verifier behaving as a PRFE for 
which secure code obfuscators do not exist. In other words, there exists no 
secure code obfuscator for PRFEs (Theorem 4). 

2. If Gap sc is true, there exists a cheating verifier for which secure code obfusca- 
tors do not exist. The cheating verifier is equivalent to the prescribed (honest) 
verifier except that it computes its message as a pseudorandom function of 
the first message sent by the prover (Theorem 5). 

We don’t know whether these non-existence results are reasonable or not. 
However, our result is a good reason to believe that any construction of 
constant round public-coin or 3-round secret-coin AIZK arguments for non- 
trivial languages essentially requires a computational assumption with a reverse- 
engineering property. Indeed, the 3-round AIZK argument constructed in [HT98] 
required a computational assumption with a reverse-engineering property. 


1.4 Related Works 

Goldreich and Ostrovsky gave a definition of software-protecting compilers and 
an efficient construction of it [GoOs96]. It is quite different from the code ob- 
fuscator considered in this paper. In their setting, a code is encrypted and can 
be executed by a CPU having the corresponding decryption key and adversaries 
try to reconstruct the code from the encrypted one. The adversary is allowed to 
execute the program on the random-access machine (RAM) on arbitrary inputs 
of its choice and modify the data between the CPU and the memory. On the 
other hand, our code obfuscator never encrypts a given code. 

In [DNRS99], Dwork et. al. showed the relationships among 3-round public- 
coin ZK arguments, selective decommitment and Fiat-Shamir methodology. 
They pointed out that the problem they studied is closely related to code obfus- 
cation. However, they gave no results. 

2 The discussion in [GoKr96] are for ZK interactive proofs. However, their results 
extend to ZK interactive arguments. See Remarks 6.4 and 6.5 in that paper. 
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2 Preliminaries 


We say that a function i/(-) : N — *■ R is negligible in n if for every polynomial 
poly(-) and all sufficiently large n’s, it holds that u(n) < 1 /poly(n). We often 
omit the expression “in n” when the definition of n will be clear by the context. 

If S is any probability distribution then x <— S denotes the operation of 
selecting an element randomly according to S. If S is a set then we use the same 
notation to denote the operation of picking an element x randomly from S. If 
A is a probabilistic machine then A{x i,X 2 , - ■ ■ ,Xk) denotes the output distri- 
bution of A on inputs (xi,X 2 , ■ ■ ■ , xd). Also, {x\ <— Si; X 2 <— S2; • • • Xk <— Sk : 
A(x 1, £2, • • • , Xk)} denotes the output distribution of A on inputs (xi, X 2 , • • • , x*) 
when the processes x\ <— Si, X 2 <— S2, • • • , Xk <— Sk are performed in order. Let 
Pr[x <— ,S'i ; X 2 <— S 2 :■■■ ;Xk <— Sk : E] denote the probability of the event E 
after the processes x\ <— Si, X 2 <— S2, • • • , Xk <— Sk are performed in order. 

We begin with reviewing the definitions of (non-uniform) computational in- 
distinguishability and PRFEs. 

Definition 1 (computational indistinguishability). We define two types of 
computational indistinguishability. 

1. Two distribution ensembles indexed by N and {0, 1}*, X = 
{ an d Y = {^n,n)}n£N,we{o,i}* are computationally 

indistinguishable if for every PPT machine D (the distinguished, every 
polynomial poly(-), all sufficiently large n’s and every string z £ {0, 1}*, 


'x <- X„ tW : 
b <- D(l n , 


\y^Y n , w ; 

b^D( l n ,i 


: 6=1 |< 


poly(n 


2. Two distribution ensembles indexed by a string set S and {0, 1}*, X = 
{A SiW } se ,g,we{o,i}* andY = {E S)U) } se 5 iWe { 0 ,i}* are computationally indistin- 
guishable if for every PPT machine D (the distinguished, every polynomial 
poly(-) and all sufficiently long s’s and every string z £ {0, 1}*, 


'x <- X SiU 
b <— D(s, 


\ y <- Y SiW 
b <— D(s, 


>,V,z) 


■b=l |< 


poly{\s\ 


Definition 2 (function ensembles). An {k n , lout, Is)- function ensemble is a 

sequence T = {F n } n£ N of function family F n = {f s : {0, — > {0, i}*»«<( n )} 

se { 0) i}is(«)> such that there exists a polynomial-time machine Eval^r (called the 
evaluator) so that for all s £ {0, 1}L(") and x £ {0, 1 ^ Evalp(s, x) = f s (x). 

In the sequel, we call s the seed of the function f s . Also, we say that T is non- 
uniformly computable if the evaluator Eval?r is a non-uniform polynomial-time 
machine [Go99, Section A. 2.3]. 


Definition 3 (pseudorandom function ensembles (PRFEs)). Let 

Ui in ,i ou t = {Uhn(n),i out (n) '■ {0, !}'«-(") — > {0, i} io >“(«)} neN a uniform function 
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ensemble, i.e., Ui in (n),l out {n) is uniformly distributed over the set of{ 0, 1 }*«"■(”') — + 
{0, 1} ( °“*(") functions. An (U n , l out , l «)- function ensemble T is called pseudo- 
random if for every PPT machine M, the following two distribution ensem- 
bles are computationally indistinguishable: {s <— {0, : M^ s ( l")}neN and 

{U - ■■ M U ( 1")}„ 6 N. 


2.1 Interactive Arguments 

We consider two probabilistic interactive machines called the prover and the 
verifier. The verifier is always a PPT machine. Initially both machines have 
access to a common input tape which includes x of length n. The prover and the 
verifier send messages to one another through two communication tapes. After 
exchanging a polynomial number of messages, the verifier stops in an accept state 
or in a reject state. Each machine only sees its own tapes, namely, the common 
input tape, the random tape, the auxiliary-input tape and the communication 
tapes. We denote by A(x, y, m) the next message of A when x is the common 
input, y the auxiliary-input and m the messages exchanged so far. When we 
want to make explicit the random coins R used, we denote it by A(x, y, m; R). 

Let ( P x ,w,V x ,y ) denote the distribution of the decision (over {Acc, Rej}) of 
the verifier V having an auxiliary-input y when interacting on a common input 
x with the prover P having an auxiliary-input to, where the probability is taken 
over the random tapes of both machines. When auxiliary inputs to or y are 
empty, we omit them from (P x>w ,V Xty ) (e.g. {P x , u >,V X ) and {P x ,V XiV )). 

There are two kinds of interactive protocols. One is “interactive proof’ and 
the other is “interactive argument” . The former requires that even a computa- 
tionally unrestricted prover should be unable to make the verifier accept x £ L, 
except with negligible (in n) probability [GMR85]. On the other hand, the latter 
requires that any cheating prover restricted to PPT should be unable to make 
the verifier accept x ^ L, except with negligible (in n) probability [BrCr86]. In 
this paper, we deal with interactive arguments. 

Definition 4 (interactive arguments [Go99, page 62]). Let P,V be two 

PPT interactive machines. The verifier V does not take any auxiliary-input. We 
say that (P,V) is an interactive argument for L if the following two conditions 
hold: (1) Efficient Completeness: For every polynomial poly(-), all sufficiently 
long x £ L, there exists an auxiliary-input w such that Pr[& <— (P x>w , V x ) : b = 
Acc] > 1 — l/poly(\x\). (2) Computational Soundness: For every PPT machine 
P (the polynomial-time bounded cheating prover), every polynomial poly(-), all 
sufficiently long x £ L and every auxiliary-input w, Pr[6 <— (P x , w ,V x ) : b = 
Rej] > 1 - l/poly(\x\). 

2.2 Zero-Knowledge 

We recall the three definitions of AZIK, USZK and BSZK. A view of the verifier 
is a distribution ensemble which consists of the common input, the verifier’s aux- 
iliary input, the verifier’s random coins and the sequence of messages sent by the 
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prover and the verifier during the interaction. Let View (P x ,V Xty ) = [x, y, to; R] 
denote U’s view after interacting with P, where x is the common input, y 
the auxiliary input to V, R the random coins of V and m the sequence of 
messages sent by P and V. When the auxiliary input y to V is empty, we 
write View(P x ,14). When the random coins R used by V is fixed, we write 
View(P x , V£ y ) or View(P x , V :l R ). For simplicity, when we talk about ZK, we omit 
the auxiliary-input to the prover P. 

Definition 5 (AIZK [GoOr94]). Let P,V be two probabilistic interactive ma- 
chines. We say that (P, V ) is auxiliary-input zero-knowledge for L if for every PPT 
machine V (the cheating verifier), there exists a PPT machine S p (the simu- 
lator) such that the following two distribution ensembles are computationally 
indistinguishable: {^(a;, y)} x eL, y e{o,i}* an d {View(P x , Uc,y)}xen,ye{o,i}*- 

Next, we recall the definition of USZK. For every polynomial Q(-), we denote 
by V P ,Q the set of probabilistic non-uniform polynomial-time machines whose 
running time when interacting with the prover P is bounded by Q. It is important 
to note that V e Vp,Q is allowed to access an infinite advice sequence ai, 02, • • • 
such that \a n \ < Q(n) 3 . V is not allowed to take any auxiliary-input, but instead 
allowed to use the advice string a\ x \ when a; is a common input (So the auxiliary- 
input in U’s view is always empty). Note that the encoding of a non-uniform 
polynomial-time machine V is an infinite sequence ENi (V). EN-iiV), • Denote 
by EN n (V) an encoding of a machine V running on a common input x of length 
n, where a n is incorporated into the encoding 4 . We denote by EN(V) this 
sequence. 

USZK allows the simulator to take as input the encoding of a cheating verifier. 

Definition 6 (USZK [Or87]). Let P,V be two probabilistic interactive ma- 
chines. We say that (P, U) is universal simulation zero-knowledge for L if there 
exists a PPT machine US (the universal simulator) such that for every poly- 
nomial Q(-) and every V e Up,q, the following two distribution ensembles are 
computationally indistinguishable: {US(x,EN\ x \(V))} xeL EN (v)^en(v) an d 
{View(P x , Uc )} xeL en m (v)zen(v)’ where EN is an arbitrary encoding. 

Finally, we recall the definition of BSZK, where the simulator is only allowed 
to use the cheating verifier as a blackbox. 

Definition 7 (BSZK [GoOr94]). Let P,V be two probabilistic interactive ma- 
chines. We say that (P, V) is blackbox-simulation zero-knowledge for L if there 
exists a PPT machine BS (the blackbox-simulator) such that for every polyno- 
mial Q(-) and every V € Vp.Q, the following two distribution ensembles are com- 
putationally indistinguishable even when the distinguishers are allowed blackbox 
access to V: {BS^(x)} xeL and {View(P x , U x )} x6 z,. 

3 Refer to [Go99, Section A. 2. 3] for more detail of non-uniform polynomial-time ma- 
chines. 

4 Refer to [HU79, Section 8.3] for an example of the encoding of machines. 
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The following theorem says that USZK is equivalent to AIZK [Or87]. 
Theorem 1 (Oren [Or87]). Cl(AIZK) = Cl(USZK). 

3 Defining Secure Code Obfuscator 

In this section, we provide security definitions of code obfuscators. We deal 
with the code obfuscators for function ensembles 5 . For simplicity, we identify 
a function f a with its evaluator, i.e., a (non-uniform) polynomial-time machine 
which evaluates it. That is, the encoding of a function means the encoding of 
the machine which evaluates it. If the function is non-uniformly computable, the 
encoding must be done depending on the input length. 

Definition 8 (code obfuscator). Let T be a function ensemble. Let 7r(-) be 
any encoding. A code obfuscator C for T is a PPT machine, which takes as 
input a code n(f s ) of f s and outputs another code LI(f s ) which is also a code of 
fs- 


As sketched in Section 1.2, we try to define the security of code obfuscators 
based on the simulation paradigm. We require that whatever can be gained by 
an adversary having access to the code LI{f s ) produced by a code obfuscator, can 
also be gained by a PPT machine having only blackbox-access to the function 
/,- 

We first give two unsatisfactory definitions. 

Definition 9. A code obfuscator C for T is semantically secure if for every 
encoding 7 r and every PPT machine A (the adversary), there exists a PPT 
machine M (the simulator) such that the following two distribution ensem- 
bles are computationally indistinguishable: {s <— {0, l}b(«); IL(f s ) <— C(ir(f s )) : 
A(l n ,n(f s ),z)} neNtZe{0tl} . and {s <- {0, l} z * (n > : M^{ l n ,2)keN, z e{0,i}*- 

Consider a simulator which chooses a seed s' randomly, produces a obfus- 
cated code LI(f s f) and outputs A(l n , IJ(f s >)). Clearly, this simulator can perfectly 
simulate the output of any adversary. Therefore, this definition does not make 
sense. By adding the obfuscated cod I7(/ s ) to two distributions, we can prevent 
a simulator from taking such a strategy. 

Definition 10. A code obfuscator C for T is semantically secure if for ev- 
ery encoding n and every PPT machine A (the adversary), there exists a 
PPT machine M (the simulator) such that the following two distribution en- 
sembles are computationally indistinguishable: {s <— {0, l}^"); LI(f s ) <— 
C(*(fs)) : A(l", I7(/ s ), z))}„ eN)Ze{0il} » and {s - {0,1}^W : (JT(/ a ), 

(1”, 2;))}neN, z e{o, 1 }* • 

5 Although we can define the security for functions rather than function ensembles, 
we don’t deal with them in this paper. 
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Again, this definition does not make sense. Consider an adversary who out- 
puts the given obfuscated code as it is. For such an adversary, we can’t ex- 
pect the existence of a simulator which outputs some code of f s by accessing 
f s in blackbox fashion. Such a simulator exists only for a function ensemble 
that can be learned efficiently and such a function ensemble is not interest- 
ing here. For example, consider a function ensemble J 7 ® = {F rl }„ e N such that 
F„ = {f s (x) = x © s : {0, 1}" — > {0, l}”} S £{o,i}' 1 - We can easily compute s by 
accessing f s in blackbox fashion. Therefore, there is a trivial secure code obfus- 
cator C for J 7 ®, that is, C outputs a given code n(J' s ) as it is and the simulator 
M computes the seed s and outputs n(f s ). 

Due to the above failure, we restrict our attention to a particular adversary 
(rather than every adversary) and define the security only against it. We give 
two definitions: one is based on the simulation paradigm like the above and the 
other is based on indistinguishability of obfuscations. 

Definition 11 (semantic security against an adversary). A code obfusca- 
tor C for T is semantically secure against an adversary A (a PPT machine) if 
for every encoding n, there exists a PPT machine M (the simulator) such that 
the following two distribution ensembles are computationally indistinguishable: 
{s <_ {0,l}b(«);77(/ s ) «- CWs)) : (n(f s ),A(l n ,n(f s ),z))} ne ^ ze{0>lv and 
{.s* <— {0, l}h('0 : (n(f s ), „ eN , ze{ o,i } .. 

Another definition is based on indistinguishability of obfuscated codes of a 
given pair of functions (/«,/«')• 

Definition 12 (indistinguishable security against an adversary). A code 
obfuscator C for T is indistinguishably secure against an adversary A (a PPT 
machine) if for every encoding n r, the following two distribution ensembles are 
computationally indistinguishable: {s <— {0, 1}**("); 17(/ s ) <— C(-7r(f s )) : (7T(/ S ), 
A(l n ,n(f s ), z))}neN, z e { o,i } * and {s <- {0,1}^^; s' ^ {0, l}*-(”); II{f s ,) +- 
CWe>)) ■■ (n(f s ), A(l", II(f s r), z))} „eN,ze { o,i}*. 

Consider an adversary who outputs the size of a given code. Because there is 
a code obfuscator such that the size of an obfuscated code is uniquely determined 
from the size of the seed. Therefore, there exists a trivial secure code obfuscator 
which is indistinguishably secure against such an adversary. 

It is easy to see that indistinguishable security implies semantic security. 
However, we don’t know whether the reverse implication holds. 

Theorem 2. If a code obfuscator C for a function ensemble T is indistinguish- 
ably secure against an adversary A then it is semantically secure against A. 

We don’t know whether there is a “non-trivial” function ensemble for which 
there is a code obfuscator semantically secure against a “non-trivial” adversary. 
As shown in the next section, this problem is related to the gap between AIZK 
and BSZK. 
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4 Zero-Knowledge and Code Obfuscation 

In this section, we present our results. First of all, we show that the gap between 
AIZK and BSZK implies the existence of a cheating verifier for which no code 
obfuscators is semantically secure against an adversary. 

Let (P, V) be an interactive argument in Cl(USZK) but not in Cl(BSZK). 
We consider a cheating verifier V £ Vp.q. Denote by l r (-),lm{-) and l a (-) the poly- 
nomials bounding the number of rounds, the length of a message and the number 
of random coins used by V, respectively. We can identify V with a non-uniformly 
computable function ensemble V = {V^} w gN> V n = {f) s : {0,1 } n + , r( n ) i ™(") — > 
(0, l}' m(n )} s -6i s {n) such that v s (x,m) = V(x,—,m; s). 

Since (P, V) achieves USZK, for every code obfuscator C for V, every 
encoding 7 r and every cheating verifier V £ Vp,Q , there exists a universal 
simulator US such that for every polynomial Q, the distribution ensemble 

{s ^ {0, l}b(M) ; 17| x |(fi s ) <- C(n\ x \{v.)) : (n lxl (v s ),US( X ,n lxl (v s )))} xeL is 
computationally indistinguishable from a view of V interacting with P, that is, 
{s <- {0, lj-LCM); n lx[ (v s ) <- C(7T| x |(t) a )) : (P w (fi s ),View(P x ,T> s )) } xeL . We 
consider the universal simulator P'S as an adversary. 

On the other hand, since (P, V) does not achieve BSZK, there exists a poly- 
nomial Q and a non-uniform cheating verifier V £ Vp,Q such that for every 
blackbox-simulator BS, the distribution ensemble {s <— {(), l} ; dW) : 7/| x (v s ) <— 
C(jr | x | (Dg)) : (I7| x | (i) s ), BS V “ (x))} x ^l is NOT computationally indistinguishable 
from {s <- {0, 1}L(W) ; 17| x | (v s ) <- C(7T| X | (D g )) : {IIj x \ (D g ), View (P x , V x ))} x eL- 
From the above, the theorem follows: 

Theorem 3. Assume that it holds that Cl(BSZK) c Cl(AIZK). Then no code 
obfuscator for V is semantically secure against US. 

Now we know that Cl(BSZK) c Cl(AIZK) implies the existence of a func- 
tion ensemble for which no code obfuscator is semantically secure against an 
adversary. However, we don’t know the actual behavior of such a function en- 
semble. In the rest of this section, we focus on two cases Gap pc and Gap sc to 
prove non-existence of secure code obfuscators for specific function ensembles. 

4.1 The Case of Gap pc 

Theorem 4. Assume that Gap pc is true. Let T be any PRFE (both input and 
output length functions are specified in the proof). Then, no code obfuscator for 
T is semantically secure against an adversary (The behavior of the adversary is 
specified in the proof). 

Proof. Let (Po,Vo) be a constant round public-coin AIZK argument for a lan- 
guage L outside of BVV. We use the following notations for (P 0 , Vo). Denote by 
x the common input and by n the length of x. For simplicity of the exposition we 
make some assumptions on the form of the protocol without loss of generality. 
We assume both the first and last messages are sent by Pq. By adding dummy 
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message any protocol can be converted into one of this form. Note that in such 
a protocol, the number of rounds is always an odd number 2 m + 1, where m is 
a constant. The messages sent by Po are denoted by ai, a 2 , • • • , a m and 7 (a* is 
ith message and 7 is m+ 1th message). The messages sent by Vo are denoted by 
Pi , 02 - ■■ ■ ,0m {0i is ith message). We assume that for every i, a, and 0i have 
length l a (n) and Ip (n), respectively. We also assume that for every i, Vo chooses 
0i randomly in (0, ljd/sf"). The predicate computed by Vo in order to decide 
whether to accept or reject is denoted by p(x, a\,0\, - , a m , 0 m , 7)- That is, Vo 

accepts x if and only if p(x, ai , /3i , ■ ■ ■ , a m , 0 m ,l) = Acc. This predicate may be 
a randomized function. 

Let T be an (l a , Ip, 1 S )-PRFE. We transform (P 0 , Vo) into another interactive 
argument (Pi,Vj) using T. Pi is same as Po- For every i (1 < i < m), V\ 
computes 0 t = f a (oti) instead of choosing it randomly, where s is randomly 
chosen from {0, 1}L(") a t the beginning of the protocol only at once. From the 
pseudorandomness of T, it follows that (Pi . Vj) is also a (2m + l)-round public- 
coin AIZK interactive argument for L. 

Let C be a code obfuscator C for T. We further transform (Pi,Vj) into a 
2-round protocol (P2, Vj) using C. The idea behind this transformation is that 
Vj sends to the prover P2 a code required for the computation of Vj and makes 
P2 compute the messages of Vj . Let 7r be any encoding. 

Protocol: (P2, Vj), where a; is a common input of length n and w is an auxiliary 
input to P2. 

Rl: Vj randomly chooses s from (0, l}L( n ) to get 7r(/ s ). Then Vj use the code 
obfuscator C to produce a code II (f s ) and send it to P2. 

R2: Using the code II(f s ), P2 computes a± <— Po(x,w, — ), 0i = f s (a 1), 02 *— 
P 0 (x,w,a i0i), 02 = f s (a 2 ), a 3 <- P 0 (x,w,a i0ia 2 0 2 ), ■■■,0m- 7 < - 

Po(x,w, a\0\ ■ • • a m 0 m ). Then P2 sends (ai, • • • , a m ,j) to Vj. 

Decision: Vj outputs p(x,ai,f s (ai),- ■ ■ ,ot m ,fs(o‘m),'y)- 

Claim. (P2, Vj) achieves AIZK. (P2, Vj) satisfies the efficient completeness, but 
doesn’t satisfy the computational soundness. 

Proof. Firstly, we show that (P2, Vj) achieves AIZK. We have a universal simula- 
tor US guaranteed by the USZK or AIZK property of (Pi, Vj). For every cheating 
verifier Vj e Vp 2) q, we can use US to simulate the conversation between P2 and 
Vj. The simulation is as follows: (i) Simulate Vj to get a code II (f s ). (ii) Pro- 
duce the code of Vj using f s from II(f s ). We denote it by 77 (I 7 / 3 ), (iii) Output 
US{x,II{Vi e )). It is easy to see that this output distribution is computationally 
indistinguishable from the real interaction between P2 and Vj. 

The efficient completeness is clearly satisfied. From the triviality result re- 
garding AIZK [GoOr94], it follows that if (P2,Vj) satisfies the computational 
soundness, then L eBVP. This contradicts our assumption. Therefore, the com- 
putational soundness is not satisfied. □ 

Now we return to the proof of Theorem 4. We construct an adversary A 
for which any simulator fails to satisfy the requirement in Definition 11. Recall 
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that (P 2 ,V2) does not satisfy the computational soundness (Claim 4.1). Let A 
be a cheating prover who can violate the computational soundness. Let a; be a 
string of length n such that x £ L. Let w be an auxiliary-input to A- Given 
a code of a function f s , A tries to output an accepting conversation. Given an 
input A simply outputs A(*> w, II(f s )), i.e., the messages 

(ai, a 2 , ■ ■ ■ ,7). Since A violates the computational soundness, it follows that 
for every code obfuscator C for T, 


Pr 


■ s ^{ 0i l}bW ;i7 (/ s )^C(7r(/ s )); 

(ai,a 2 , • • • ,a m , 7) <— A(l n ,H(f s ), ( x,w )); : b = Acc 
b <- p(x, ai, / s (ai), • • • , a m , 7) 


is NOT negligible in n. 

On the other hand, from the argument in [GoKr96, Proof of Lemma 6.4], it 
follows that for every PPT machine M (simulator), every auxiliary-input w and 
every code obfuscator C for P, 


Pr 


' AP(l n , (*,tB)>; . , _ . ' 

p(x, ai, / s (ai), • • • , a m , f s (a m ), 7) 


is negligible in n. By the pseudorandomness of P, we can replace the uniform 
function u by the function f s . It follows that for every PPT machine M, every 
auxiliary-input w and every code obfuscator C, 


Pr 


{0, l}L( n ); (ai, • • • , a m , 7) , =A 


is negligible in n. Since any simulator fails to simulate A, no code obfuscator C 
for T can be semantically secure against A. □ 


The theorem does not extend to the case of non-constant rounds since we 
use the argument in [GoKr96, Proof of Lemma 6.4]. 


4.2 The Case of Gap sc 

In this section, we consider the second case. The argument here is essentially 
equivalent to the one in the previous section. 

Let (Po, Vo) be a 3-round secret-coin AIZK argument for a language L outside 
of BTV. We denote by a and 7 the messages sent by Po- We denote by fi 
the message sent by Vo- Denote by R sc the secret-coin used by Vo to compute 
P *— Vo(a;, — , a). The length functions of a, 0, R sc are denoted by Ip(-) and 
Ir s o(-), respectively. The predicate computed by Vo in order to decide whether 
to accept or reject is denoted by p(x,a,'y,R sc ). 

Let T be an (l a , Ir sc , Z s )-PRFE. We transform (Po,Vo) into another in- 
teractive argument (Pi, Pi) using T. I\ is same as Po- V\ computes 0 as 
follows: Chooses s randomly from {(). 1 }b("), computes R sc = /. s (a,;) and 
0 = Vo (a.-, — , a: R sc )- We denote by CV = {CV n } ne n a function ensemble such 
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that CV n = [CV S : CV s (x,a) = Vq(x, — ,a; /.s(a:))} s e{o,i}UM- From the pseudo- 
randomness of T, it follows that (Pi, Vi) is a 3-round secret-coin AIZK interac- 
tive argument for L. 

Now we prove our second theorem. 

Theorem 5. Assume that Gap sc is true. LetCV be a function ensemble specified 
as the above. Then, no code obfuscator for CV is semantically secure against an 
adversary (The behavior of the adversary is specified in the proof). 

Proof. Let C be a code obfuscator C for CV. We further transform (Pi, Vf) into 
a 2-round protocol (P2, V2) using C. Let 7r be any encoding. 

Protocol: (P2, V2), where a; is a common input of length n and w is an auxiliary 
input to P2. 

Rl: V2 randomly chooses s from {0, l} (,(n ) to get n(CV s ). Then V2 use the code 
obfuscator C to produce a code II(CV S ) and send it to P2. 

R2: Using the code II(CV S ), P2 computes a <— Po(x,w,—), (3 = CV s (x,a) = 
Vq{x, — ,a; /«(«)) and 7 <— Po(x, w, a(3). Then P2 sends (0,7) to V2. 

Decision: V2 outputs p(x, a, 7, f s (ot)). 

Claim. (P2, V2) achieves AIZK. (P2, V2) satisfies the efficient completeness, but 
doesn’t satisfy the computational soundness. 

Proof. The proof is essentially equivalent to the one of Claim 4.1. □ 

The rest of the proof is equivalent to the corresponding one of Theorem 4 
except that we use the argument in [GoKr96, Section 6.3] instead of the one in 
[GoKr96, Proof of Lemma 6.4]. The detail is omitted. □ 

The theorem does not extend to the case of more than 3 rounds since we use 
the argument in [GoKr96, Section 6.3]. 

5 Concluding Remarks 

In this paper, we have shown the gap between Cl(AIZK ) and Cl(BSZK) is 
closely related to code obfuscation. We have focused on the following two state- 
ments: (1) There exists a constant round public-coin AIZK argument for a lan- 
guage outside of BVV. (2) There exists a 3-round secret-coin AIZK argument 
for a language outside of BVV. We have shown that if these statements are true, 
it implies negative results for code obfuscation. If the former is true, there exists 
no semantically secure code obfuscator for a PRFE. A similar negative result 
regarding the latter statement has also been shown. We don’t know whether 
these non-existence results are reasonable or not. However, our result is a good 
reason to believe that any construction of constant round public-coin or 3-round 
secret-coin AIZK arguments for non-trivial languages essentially requires a com- 
putational assumption with a reverse-engineering property. Indeed, the 3-round 
AIZK argument constructed in [HT98] requires a computational assumption with 
a reverse-engineering property. 
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Dwork et al. showed that if there exits a secure bit commitment function 
resilient to selective decommitment then there exist 3-round public-coin ZK ar- 
guments for any MV language [DNRS99] . It is an open problem whether there ex- 
ists a bit commitment function resilient to selective decommitment. They showed 
that in several special cases, such a bit commitment function exists in a weaker 
sense. However, the weaker resilience seems to be insufficient for the existence 
of 3-round public-coin ZK arguments for an MV language. Combining their re- 
sult with Theorem 4, we can easily obtain the following relationship: Under 
the assumption that it does not hold that MV CBVV, if there exits a secure 
bit commitment function resilient to selective decommitment, then there is no 
semantically secure code obfuscator for PRFEs 6 . 

We considered only the setting of ZK arguments, but the problem studied in 
this paper really applies to any setting where we need a simulator [GM84] [CaOO]. 
It is interesting to investigate what could be proven in other settings. 
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Abstract. A discrete-logarithm algorithm is called generic if it does 
not exploit the specific representation of the cyclic group for which it 
is supposed to compute discrete logarithms. Such algorithms include 
the well-known Baby-Step-Giant-Step procedure as well as the Pohlig- 
Hellman algorithm. In particular, these algorithms match a lower bound 
of Nachaev showing that generic discrete-log algorithms require expo- 
nentially many group operations. Building on this lower bound, Shoup 
and subsequently Schnorr and Jakobsson proved other discrete-log-based 
protocols to be intractable in the generic model. Here, we discuss pitfalls 
when applying the generic model to other schemes than the discrete-log 
problem and when interpreting such lower bounds as security proofs for 
these schemes. 


1 Introduction 

The Baby-Step-Giant-Step algorithm and the Pohlig-Hellman algorithm to com- 
pute discrete logarithms in cyclic groups operate representation-independent, 
i.e., they do not rely on the specific representation of the group, and thus work 
for any cyclic group. These examples match a lower bound of Nachaev [20] 
proving that such generic algorithms need Q (^q) group operations to compute 
discrete logarithms in a group of size q. The index calculus method, though, 
defeats this lower bound as it requires subexponential time for groups like 2Z* V 
with standard binary encoding. Yet, the index calculus is not known to work for 
arbitrary groups, e.g., it seems to be inapplicable to elliptic curves [26]. 

/.From a theoretical point of view, it is easy to see that security proofs in 
the generic model do not generally transfer to “the real world” when adding 
an encoding, because generic algorithms might cause an exponential blow-up in 
comparison to Turing machines: for the group (Z q ,+) the discrete logarithm 
for some element x £ 7Z q with respect to the generator 1 is simply x. If we 
use the standard binary encoding of ZZ q then it is easy to compute discrete 
logarithms for an algorithm that operates on bit strings. A generic algorithm, 
however, requires C2{<Jq) steps to find the discrete logarithm, because it cannot 
take advantage of the trivial encoding. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 458-469, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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Shoup [25] and subsequently Schnorr and Jakobsson [24] extended the idea 
of Nachaev and proved schemes relying on the discrete-logarithm problem to be 
intractable for generic algorithms. Nonetheless, applying this model and its lower 
bound to other discrete-log-based protocols should not be viewed as providing 
the same security level as the fact that, currently, optimal discrete- log finders 
for appropriate groups like elliptic curves are generic. The aim of this work is to 
highlight some of these pitfalls when proceeding from the discrete-log problem 
to more sophisticated schemes in the generic model. 

We present a simple explanatory example. Moving from a computational task 
like computing discrete logarithms to a decisional problem, e.g., distinguishing 
encryptions, without additional consideration is a dangerous step: the represen- 
tation in decisional problems is related to the problem at a different level. For 
instance, for discrete-log-based algorithms allegedly producing pseudorandom 
strings an inappropriate encoding of group elements may cause the output to be 
easily distinguishable from random, even though the encoding does not help to 
compute discrete logarithms. 

As another example consider the signed ElGamal encryption scheme in [24]. 
Informally, a signed ElGamal encryption consists of an ordinary ElGamal en- 
cryption [11] together with a Schnorr signature [23]. In [24] it is shown that the 
signed ElGamal scheme is secure against adaptive chosen-ciphertext attacks [22] 
in a combination of the generic model and the random oracle model. This proof 
relies on the fact that the adversary cannot generate a group element without 
knowing a representation of this value with respect to a set of given group ele- 
ments 1 and that this representation is known to a simulator reducing an adaptive 
attack with decryption requests to one without such queries. 

In Section 3 we present a three-round negligible-error zero-knowledge proto- 
col in the generic model for all languages in NP. Our protocol, too, applies the 
property that a generic adversary cannot compute group elements without be- 
ing aware of a representation, and that a simulator knows these representations; 
for a similar but more complicated protocol see [16]. In [13] it has been proved 
that three-round negligible-error black-box (i.e., observing only external behav- 
ior of parties) zero-knowledge proofs can only exist for languages in BPP. Since 
our protocol does not obey this black-box approach — we see internal data of 
the simulated adversary, specifically, the representations of the group elements 
chosen by the adversary — we simplify the problem to achieve something which 
we do not know how to do otherwise. The same trick enables [24] to prove the 
signed ElGamal scheme to be unbreakable in this model. 

Another problem with viewing intractability results in the generic model as 
security proofs is the dependency of cryptographic primitives in this setting. 
Consider the well-known Schnorr signature scheme [23] in which a signature 
corresponds to a proof of knowledge for the secret key. The challenge for this 
proof of knowledge is generated by applying a suitable hash function to a group 

1 A representation of X with respect to group elements gi , . . . , g n is a sequence 
oi, . . . ,a n of integers such that X = n qV ■ As for the special case nsfa rep- 
resentation corresponds to the discrete log of X with respect to g\ . 
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element and the message. This suggests that in the generic model the hash func- 
tion itself must be treated as a black box, because it does not solely operate 
on bit strings but partially on group elements. The hash function is therefore 
closely connected to the group. As for an actual implementation in practice, it 
is therefore necessary that one verifies that choosing a good hash function to a 
presumably strong group does not give origin to undesired problems. We elab- 
orate on this in Section 4 by discussing the Schnorr signature scheme. Namely, 
we show that, although this signature scheme seems to be secure in the generic 
model for appropriate hash functions, depending on the choice of the group to 
the hash function, in the real world we either obtain a secure combination or we 
get an easy-to-forge scheme. 

In contrast to the generic approach, a classical proof in cryptography is mod- 
ular: once proved secure under certain properties of the primitives involved, one 
can take any instantiation of any of the primitives satisfying these properties, 
and it is guaranteed that the combined scheme is secure. Hence, in the generic 
case additional attention must be paid when implementing the schemes. Since 
the aforementioned problems could be subtle and hidden very well, this intro- 
duces a dangerous source of flaws. 

In conclusion, even if some cryptographic protocol is provably secure in the 
generic model, this does not necessarily give us the same confidence as the ob- 
servation that nowadays optimal algorithms for the discrete-logarithm problem 
for groups like elliptic curves are generic. 

2 Preliminaries 

Since the aim of this work is to highlight principle problems with security proofs 
in the generic model, the following discussion and all results are kept at a very 
informal level. 

Generic algorithms and their application to cryptography have been intro- 
duced to the crypto community by Shoup [25] relying on a result by Nachaev 
[20]. Shoup models generic algorithms by oracle Turing machines. That is, choose 
a random encoding of group elements and give the oracle Turing machine access 
to a group operation oracle taking as input the random encodings of two group 
elements X, Y and returning the random encoding of XY or XT -1 . Schnorr and 
Jakobsson [24] use the a slightly different approach by dividing data into group 
data and non-group data. “Their” generic algorithms operate on non-group data 
as Turing machines 2 whereas for group data the algorithm is only allowed to com- 
pute the group element J][ X“' for elements Xi,..., X n and integers oi, . . . , a n 
in a single oracle step. 

In [24] the signed ElGamal encryption scheme — introduced in [17,27] — has 
been analyzed in a combination of the random oracle and generic model. As 
mentioned before, basically, an encryption consists of an ElGamal encryption 
with a tag, a Schnorr signature. The system parameters are a group G of prime 

2 Actually, Schnorr and Jakobsson [24] allow the generic algorithms to compute arbi- 
trary functions on the non-group data and do not even restrict to recursive functions. 



A Note on Security Proofs in the Generic Model 461 


order q, a generator g of G, and a random oracle H : G 3 — > 2Z q . The secret and 
the public key are given by x e 2Z q and X = g x . In order to encrypt a message 
m e G select random r, s € M q , compute an ElGamal ciphertext R= g r ,Y = 
mX r and a Schnorr signature with g s and c = H(g s ,R,Y),z = s + cr mod q. 
Finally, output (R, Y, c, z ) as the ciphertext of m. To decrypt with the secret 
key x first check the validity of the signature tag, i.e., that c = H(g z R~ c , R, Y), 
and if so return the message Y/R x . The idea is that the Schnorr signature with 
secret key r for message (R, Y) guarantees that the adversary knows r and thus 
the message Y/X r = m. 

A first formal proof that this combination of ElGamal encryption and Schnorr 
signature is indeed secure against adaptive chosen-ciphertext attacks has been 
given in [27], under the assumption that H is a random oracle, that the deci- 
sional Difhe-Hellman problem [6] is intractable, and based on a somewhat strong 
assumption about the unforgeability of Schnorr signatures. In [24] the scheme 
has been proved secure in the generic model given that H is a random oracle. 

In order to show that certain approaches are possible when observing internal 
behavior, but are not known to be achievable otherwise, we present an example 
based on zero-knowledge proofs. Hence, we briefly discuss the definition of zero- 
knowledge proofs in the generic model. See [12] for a comprehensive treatment 
of zero-knowledge protocols. Informally, a zero-knowledge protocol [15] for a 
language L is an interactive proof system between an unbounded party, called 
the prover P, and a probabilistic polynomial-time machine, the verifier V, such 
that the following holds: 

— completeness: if P and V both honestly follow the protocol then V always 
accepts inputs x £ C. 

— soundness: for x ^ T the verifier V only accepts with probability e(|x|) for 
any malicious prover P* pretending to be P. The function e is called the error 
of the protocol. Likewise, if e is negligible then the protocol has negligible 
error. 

— zero-knowledge: for any ie£, any possibly malicious verifier V* does not 
not learn anything useful beyond the fact that x £ C (in a computational 
sense) from the protocol execution with P. That is, for any verifier V* there 
exists a probabilistic (expected) polynomial-time simulator S such that for 
i?£ the simulator’s output S(V*,x) is computationally indistinguishable 
[14] from the random variable that describes the exchanged messages of a 
protocol execution between P and V*. 

Basically, augmenting interactive proof systems by a group oracle means to pro- 
vide all parties P, P* ,V,V* , S access to the same oracle. This, of course, implies 
that we have to transfer the instinguishability property to the generic model. 
Instead of demanding that any generic algorithm (with access to the same group 
oracle) cannot distinguish the prover’s and the simulator’s answers, we after- 
wards encode in both cases all group elements in a group with some encoding, 
like 2Z* V and the binary representation. Clearly, this leads to a conditional state- 
ment that the output of the zero-knowledge simulator is indistinguishable (in the 
standard sense) from the prover’s answers under the assumption that the group 
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with the encoding is secure. By this, we circumvent to introduce distinguishes 
in the generic model. 

The zero-knowledge simulator which we present in Section 3 will not be a 
black-box simulator as it learns the queries of V* submitted to the group or- 
acle, and hence observes some internal behavior of V*. In fact, this is crucial 
for our three-round negligible-error zero-knowledge protocol in the next section. 
Furthermore, this is exactly what is done in [24] in order to prove the signed 
ElGamal encryption scheme to be secure against adaptive chosen-ciphertext at- 
tacks. There, it is demonstrated that the adversary essentially cannot create ci- 
phertexts without knowing the message, and that the message can be extracted 
by looking at the adversary’s oracle gueries to the group oracle. Schnorr and 
Jakobsson [24] call this plaintext awareness (and thus implicitely suggest a def- 
inition in the generic model, although they do not present a formal definition). 
They refer to plaintext awareness as defined in [5] rather than to the refinement 
given in [2]. We are not aware if the signed ElGamal scheme is plaintext aware 
according to this refinement. 

Finally, let us recall the three-round discrete-log-based oblivious transfer pro- 
tocol of Bellare and Micali [3]. We apply this protocol as a tool to derive our 
zero-knowledge scheme. Informally, a chosen-one-out-of-two oblivious transfer 
scheme is a two-party protocol between a sender possessing messages mo, mi 
and the receiver. The receiver would like to learn mb from the sender such that 
the sender does not learn the receiver’s choice b. On the other hand, the sender 
is willing to reveal one of the messages to the receiver, but does not want to 
give away anything about the other message. Bellare and Micali introduce the 
following protocol in a group G of prime order q generated by g. 3 

— The sender generates a random pair x £ 7Z q , X = g x of private and public 
key and sends X to the receiver. 

— The receiver, trying to get mb, randomly chooses y £ 7Z q , sets T), = g y and 
>601 = XY^ 1 and transmits Yo,Y\. 

— The sender checks that ToYf = X . If so, it selects uniformly ao,ai £ 2Z q 

and computes the ElGamal encryptions = (g ai ,Y i ai mi) for i = 0,1 

(where we presume for simplicity that the messages are in some way encoded 
as group elements). The sender transmits both pairs to the receiver. 

— The receiver, knowing the discrete-log of W, can decrypt mb- 

Intuitively, the receiver can only know one of the secret keys of To, Tj. and thus 
learns only a single message, i.e., the other message is computationally hidden 
under the decisional Diffie-Hellman assumption [3] . Conversely, the sender does 
not learn in an information-theoretical sense which of the messages the receiver 

3 In the generic model, the group is given, while in the real world it is generated by 
the sender in the first step, say, by selecting a subgroup G of 2Z* V . Since only the 
sender’s privacy but not the receiver’s depends on the intractability of the discrete- 
log in this group, and because the receiver can verify that a proper group of prime 
order has been generated, we can simply assume that even a malicious sender chooses 
the group honestly. 
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wants to retrieve, because the values Y 0 ,Y\ are distributed independently of 6. 
We remark that the same functionality can be accomplished with a less effi- 
cient scheme based solely on the computational Diffie-Hellman assumption and 
hardcore predicates [3] . 


3 Three-Round Negligible-Error Zero-Knowledge for NP 

In this section we present our three-round negligible-erro zero-knowledge pro- 
tocol for the NP-complete language T>HC, Directed Hamiltonian Cycle. The 
well-known atomic protocol with error 1/2 works as follows (cf. [12]): 

— The prover permutes the common input graph H with permutation n to 

obtain a graph Then the prover sends a bit-wise commitment of 

the describing matrix of n (H), and a commitment of n. We assume that 
the commitment scheme is non-interactive, computationally-hiding and un- 
conditionally-binding; such commitment schemes exist for example under 
the discrete-log assumption (see [12]). 

— The verifier chooses a random bit b and asks the prover to reveal a Hamilto- 
nian cycle in the permuted graph (6 = 0), or to show that the commitment 
sequence really contains an isomorphic copy of H (6 = 1). 

— The prover acts accordingly, i.e., for 6 = 0 opens n committed 1-bits of 
the matrix of n(H) describing a directed Hamiltonian cycle, and for 6=1 
decommits to all of n and ti(H'). 

— The verifier decides upon the opening. 

Obviously, this protocol is complete. Soundness holds with error 1 /2 because for 
input H £ VHC the prover can answer at most one of the two possible challenges 
correctly. The zero-knowledge simulator tries to guess the challenge prior to the 
commitment, i.e., commits to an arbitrary graph with a random Hamiltonian 
cycle if the guess is 6 = 0, and to a random permutation of H for 6 = 1. Then it 
obtains the challenge 6* of the verifier V* and if 6 = 6* the simulator opens the 
commitments accordingly; else it restarts. The expected number of trials until 
the simulator successfully guesses 6* is two. 

Assume that instead of opening the parts of commitment according to the 
challenge in the atomic protocol, the prover executes both openings in parallel 
but encrypts each of both sequences of decommitments with an independent 
secret key. Additionally, the prover transfers one of these keys obliviously to 
the verifier (who decides at random which key) with the Bellare-Micali proto- 
col. This technique has already been successfully applied in other works about 
zero-knowledge proofs (e.g. [18,9]). Completeness and soundness of the atomic 
protocol are preserved. But it is not clear that the zero-knowledge property still 
holds, because not knowing the right key the trial-and-error simulator above 
cannot check that its guess is correct. In the generic model, though, the simula- 
tor sees the verifier’s group oracle queries and thus learns which key the verifier 
has chosen. 
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An important observation is that we can move the commitment step of the 
first round to the third round without affecting the soundness property. This 
leads to the protocol in Figure 3, where we use the notation [OT(iF 0 , K\, b)\i to 
denote the message in the i-th round (i = 1, 2,3) of the OT scheme of Bellare- 
Micali with private input Kq. Ki of the prover and random secret bit b of the 
verifier. Additionally, we denote by Encx(-) a semantically-secure [14] encryption 
scheme, e.g., the basic ElGamal encryption scheme under the decisional Difhe- 
Hellman assumption [27], or a hardcore-predicate-based bit encryption scheme 
based on the computational Diffie-Hellman assumption. 


prover P 

common input: graph H 

do l-H) -times in parallel: 

verifier V 

select keys Ko,Ki 

choose random 7r 
compute 7r (H) 

[OT(A 0 , Ki,b)]i 

[OT{Ko,K u b)\ 2 

choose random b 

C — bit-wise commit m. of n, tv (H) 


E 0 = EnCir 0 (decomm 

l. of HamCyc. in ir(H)) 


Ei = Encxi (decomm 

COf 7T,7T(ff)) 



C,E 0 ,E U [OT(A 0 ,Ai,6)] 3 

decrypt E b 

check validity 


Fig. 1 . Three- Round Negligible-Error Zero-Knowledge Proof of Hamiltonian Cy- 
cle 


Apparently, our protocol is complete. A malicious prover P* can convince 
the verifier with probability at most for inputs outside the language, be- 

cause P* must then lie either about the permutation or about the Hamiltonian 
cycle, but does not know on which side he is checked (the verifier’s choice b is 
hidden information-theoretically in the Bellare-Micali protocol and the prover’s 
commitments are unconditionally binding). 

It remains to specify the zero-knowledge simulator S. In the generic model, 
S knows which key the verifier in each parallel execution retrieves, because the 
simulator sees the internal group oracle queries of the verifier. That is, although 
the malicious verifier might generate Y 0 ,Yi in the oblivous transfer protocol 
different than the honest verifier, it always holds in the generic model that Yo = 
g a X b and Y\ = X- Kg -1 for some a, b which the simulator knows; thus, the verifier 
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learns at most one of the keys Ko, K\ and the simulator then knows which one 
(i.e., for 6 £ {0, 1} the verifier knows the secret key to YJ,, and neither one for 
6 ^{0,1}). 

Our simulator imitates the simulator of the atomic protocol and chooses ap- 
propriate commitments and correct or dummy encryptions. That is, for each 
parallel execution our simulator selects keys Kq . K-y and invokes in the obliv- 
ious transfer protocol with the verifier. The verifier answers with some group 
elements and we deduce which key (if any) the verifier wants to retrieve. If this 
is key Ko we run the simulator of the atomic protocol to produce an appropri- 
ate commitment/decommitment for the guess 6 = 0; else, for K i, we let this 
simulator generate a good instance for guess 6=1. We then correctly encrypt 
the opening with the chosen key and a produce dummy ciphertext of 0-bits with 
the other key. The fact that the views (afterwards encoded) are computation- 
ally indistinguishable under the decisional Diffie-Hellman assumption follows by 
standard techniques and is omitted. Also, if we use the less efficient variant of 
the Bellare-Micali protocol with hardcore predicates and the corresponding bit 
encryption scheme instead, then this scheme is computationally zero-knowledge 
under the computational Diffie-Hellman assumption. 

Why does our result not contradict the lower bound in [13] for the round 
complexity of zero-knowledge proofs? The reason is that the BPP-algorithm in 
[13] relies on a black-box simulator observing merely the external behavior of the 
verifier. Here, the simulator sees some internal operations, namely, the queries to 
the group oracle. The same property has been used in [24]. Recall that a signed 
ElGamal encryption is a tuple ( R,Y,c,z ) = ( g r ,mX r ,c,z ). In [24] it has been 
shown that submitting such a tuple to the decryption oracle can be simulated 
because the signature ensures that the adversary must have computed g r via 
the group oracle with very high probability; thus, r is known to a simulator 
that keeps track of the adversary’s group oracle queries. In particular, it follows 
that the answer m = Y/X r of the decryption oracle can be computed by the 
simulator without knowing the secret key to X. By this, any decryption requests 
can be simulated by a single group operation. 

4 Instantiations of the Schnorr Signature Scheme 

In this section we discuss problems when choosing bad combinations of instanti- 
ations of the primitives, although the constructed scheme is presumably secure 
in the generic model. Our demonstration example will be the Schnorr signature 
scheme [23]. First, let us briefly recall the system. 

The scheme involves a group G of prime order q generated by some g £ G 
and a hash function H\ we will later discuss the properties of H. The secret 
key is a random element x £ 7Z q and the public key is given by X = g x £ G. 
To sign a message m the signer chooses a random r £ ZZ q , computes g r and 
c = H(g r ,m) £ ZZ q as well as y = r + cx mod q. The signature consists of 
the pair (c, y). In order to verify a signature/message pair ( c,y),m the verifier 
calculates Z = g v X~ c and checks that c = H(Z, to). 
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A potential attack on the Schnorr signature scheme is to reverse engineer the 
hash function, i.e., to choose a hash value c beforehand and then to try to find 
y e 7Z q such that H(g y X~ c ,m) = c. Obviously, (c,y) is then a valid signature. 
In practice, it is therefore assumed that H is a collision-intractable hash function 
that cannot be reverse engineered. 

We add the public parameters describing the group G and g,X to the hash 
evaluation process. That is, the hash value is computed as H((G) , g, X, g r , to) 
and as H((G) ,g, X, Z,m), respectively, where (G) denotes the group descrip- 
tion. This is also suggested in [19] to prevent so-called adversarial hashing, and 
to best of our knowledge this does not weaken the Schnorr signature scheme. 
Nonetheless, it gives us the possibility to relate the hash function evaluation 
process to the underlying group. 

We will consider two instantiations of the collision-intractable hash function 
and the group. Both instances use the same hash function, but each time a dif- 
ferent cryptographically-strong group. One example will be completely insecure, 
whereas the other seems to be provide a secure signature scheme. By this, it 
follows that the choice of the group also affects the choice of the hash function 
and vice versa. As we will argue, both approaches conceivably provide a secure 
combination in the generic model. In contrast, a traditional security proof that 
a safe group and a collision-intractable hash function withstanding reverse engi- 
neering are sufficient would imply that any combination of, say, SHA-1 or MD5 
with groups in ZZ* V or elliptic curves yields a secure scheme. Hence, security in 
the generic model does not support modular implementations in general. 

For sake of clarity, we explain the example below for subgroups of ZZ* p of 
prime order q with binary encoding. It also works for any other group, say, 
elliptic curves, if we hash down the binary representations of group elements 
to numbers between 0 and p — 1. Let ft be a collision-intractable hash function 
that maps bit strings to the intervall [1, ( q — l)/2] , viewed as a subset of ZZ q . 
Furthermore, let h be secure against reverse engineering in the sense discussed 
above. Define the hash function H for the signature scheme by dividing the input 
message to into mi, m 2 where m 2 € {0, l}l p l is interpreted as a group element 
in ZZ* y . Set 

H ( p , q, g, X, R, mi, m 2 ) 

( h(m\) if R e [0, q) and RX h ^ mi ^ = g mod p 

= < and g R = m 2 mod p 

h(R, mi, m 2 ) + mod q else 

It is easy to see that he derived hash function H is collision-intractable for fixed 
p, q, g, X and varying (R, mi, m 2 ). 

The idea of the construction of H is that its properties depend on the group. 
Specifically, assume that we choose p = 2q + l. Then roughly half of the elements 
in G C ZZ* p fall into the intervall [0, q) (see [21]). If an adversary now picks mi 
at random and computes R = gX~ h(mi ' > then with probability approximately 
1/2 this value R is less than q as a natural number (assuming that the hash 
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function h distributes random values quite well). In this case, RX hl ' mi) = g and 
for m 2 = g R mod p the hash funtion output equals c = h{m{). Thus, (c, 1) is a 
valid signature for (mi, m 2 ) and the adversary easily succeeds in forging Schnorr 
signatures (without necessarily being able to compute discrete logarithms). 

Now let p = wq + 1 for w » q 2 . Assume for the moment that except for 1 
none of the other q — 1 group elements lies in [0, q]. Unfortunately, we do not 
know whether this holds in general or not, and we are not aware of any results 
about the distribution of elements of this subgroup in 7Z* V (if the elements are 
almost uniformly in 7Z* V then this clearly follows from the choice of w). But 
again, we stress that this is an instructive example and we therefore admit this 
simplification. In this case, the hash function evaluation for (R, mi, m 2 ) can only 
result in h(mi) if R = 1. But then RX h(rni ^ = X h(mi '> = g is only possible for 
log g X = l//t(m-i) mod q. This, in turn, is equivalent to computing the discrete- 
logarithm of X to base g, and assuming the intractability of the discrete-log 
problem it is therefore very unlikely that this happens. Hence, given that the 
case above never occurs, the hash function evaluation merely results in values 
h(R, mi, m 2 ) + (q— 1)/2 mod q and the scheme resembles to the original Schnorr 
system and is thus believed to be secure. 

What happens in the generic model of Schnorr-Jakobsson? There, the ad- 
versary cannot interchange group data and non-group data. Hence, any hash 
function query cannot yield the answer h(mi) and the scheme is again conceiv- 
ably secure. In other words, due to the generic model the hash function H has 
the additional property of being immune against reverse engineering, although 
H has not for the wrong choice of the group when implementing. 

5 Conclusion 

We have pointed out several pitfalls for security proofs in the generic model. 
Clearly, it is preferable to construct attractive protocols that are provably se- 
cure by classical methods. Yet, for some schemes used in practice like DSS such 
security proofs are still missing today (assuming that DSS can be proven secure 
at all). It is therefore a worthwhile effort to consider certain attacks on these 
schemes. But one should have in mind that it merely provides some evidence of 
hardness if these attacks fail. Also, the lack of proofs should incite researchers 
to find provably secure alternatives. 

We remark that there are alternatives to the signed ElGamal scheme of 
[17,27,24] which are also discrete-log-based but require milder, yet still “non- 
standard” assumptions. One is the system based on the random oracle assump- 
tion and arbitrary trapdoor functions [5]. Another one is the DHAES scheme 
of Abdalla et al. [1] based on a potentially stronger assumption than the deci- 
sional Difhe-Hellmann assumption. The DHAES scheme seems to be at least as 
efficient as the signed ElGamal scheme: one exponentiation is traded for some 
private-key operations. 

Finally, we remark that there is the ingenious encryption scheme of Cramer 
and Shoup [8] based only on the decisional Difhe-Hellman assumption; the 
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Cramer-Shoup scheme is only slightly less efficient than the signed ElGamal 
scheme. 
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Abstract. We establish, for the first time, an explicit and simple lower 
bound on the nonlinearity Nf of a Boolean function / of n variables 
satisfying the avalanche criterion of degree p, namely, Nf > 2 n ~ 1 — 
2 n ~ 1 ~2P_ We also show that the lower bound is tight, and identify all 
the functions whose nonlinearity attains the lower bound. As a further 
contribution of this paper, we prove that except for very few cases, the 
sum of the degree of avalanche and the order of correlation immunity of a 
Boolean function of n variables is at most n— 2. These new results further 
highlight the significance of the fact that while avalanche property is in 
harmony with nonlinearity, it goes against correlation immunity. 


Key Words: 

Avalanche Criterion, Boolean Functions, Correlation Immunity, Nonlinearity, 
Propagation Criterion. 

1 Introduction 

Confusion and diffusion, introduced by Shannon [16], are two important princi- 
ples used in the design of secret key cryptographic systems. These principles can 
be enforced by using some of the nonlinear properties of Boolean functions in- 
volved in a cryptographic transformation. More specifically, a high nonlinearity 
generally has a positive impact on confusion, whereas a high degree of avalanche 
enhances the effect of diffusion. Nevertheless, it is also important to note that 
some nonlinear properties contradict others. These motivate researchers to in- 
vestigate into relationships among various nonlinear properties of Boolean func- 
tions. 

One can consider three different relationships among nonlinearity, avalanche 
and correlation immunity, namely, nonlinearity and avalanche, nonlinearity and 
correlation immunity, and avalanche and correlation immunity. Zhang and Zheng 
[20] studied how avalanche property influences nonlinearity by establishing a 
number of upper and lower bounds on nonlinearity. Carlet [3] showed that one 
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may determine a number of different nonlinear properties of a Boolean func- 
tion, if the function satisfies the avalanche criterion of a high degree. Zheng and 
Zhang [26] proved that Boolean functions satisfying the avalanche criterion in 
a hyper-space coincide with certain bent functions. They also established close 
relationships among plateaued functions with a maximum order, bent functions 
and the first order correlation immune functions [24]. Seberry, Zhang and Zheng 
were the first to research into relationships between nonlinearity and correlation 
immunity [14]. Very recently Zheng and Zhang have succeeded in deriving a new 
tight upper bound on the nonlinearity of high order correlation immune func- 
tions [25]. In the same paper they have also shown that correlation immune func- 
tions whose nonlinearity meets the tight upper bound coincide with plateaued 
functions introduced in [24,23]. All these results help further understand how 
nonlinearity and correlation immunity are at odds with each other. 

The aim of this work is to widen our understanding of other connections 
among nonlinearity properties of Boolean functions, with a specific focus on 
relationships between nonlinearity and avalanche, and between avalanche and 
correlation immunity. We prove that if a function f of n variables satisfies the 
avalanche criterion of degree p, then its nonlinearity Nf must satisfy the condi- 
tion of Nf > 2 n ~ 1 — 2 n ~ 1 ~ 2 P. We also identify the cases when the equality holds, 
and characterize those functions that have the minimum nonlinearity. This result 
tells us that a high degree of avalanche guarantees a high nonlinearity. 

In the second part of this paper, we look into the question of how avalanche 
and correlation immunity hold back each other. We prove that with very few 
exceptions, the sum of the degree of avalanche property and the order of corre- 
lation immunity of a Boolean function with n variables is less than or equal to 
n — 2. This result clearly tells us that we cannot expect a function to achieve 
both a high degree of avalanche and a high order of correlation immunity. 

2 Boolean Functions 

We consider functions from V n to GF( 2) (or simply functions on V n ), where V n 
is the vector space of n tuples of elements from GF( 2). The truth table of a 
function / on is a (0, l)-sequence defined by ( f(ao ), f(a i), . . . , /(a^-i)), 
and the sequence of / is a (1, — l)-sequence defined by ((— 1)^“°), (— l)ff ai ), 
..., (— l)/(“ 2 n -i)), where ao = (0, . . . , 0, 0), a\ = (0,...,0, 1), . . ., = 

(1, 1, 1). A function is said to be balanced if its truth table contains 2" _1 

zeros and an equal number of ones. Otherwise it called unbalanced. 

The matrix of / is a (1, -l)-matrix of order 2" defined by M — ((— l)/( a *® a i)) 
where ® denotes the addition in V n . 

Given two sequences a = (ai, ■ ■ ■ , a TO ) and b = (%,•••, b m ), their component- 
wise product is defined by a*b= (ai&i, • • • , a m b m ). In particular, if m = 2 n and 
a, b are the sequences of functions / and g on V n respectively, then a * 6 is the 
sequence of / ® g where ® denotes the addition in GF{ 2). 

Let a = (ai, - ■ ■ ,a m ) and b = (bi,---,b m ) be two sequences or vectors, 
the scalar product of a and b, denoted by (a,b), is defined as the sum of the 
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component- wise multiplications. In particular, when a and b are from V m , (a, b) = 
affix ® • • • ® a m b m , where the addition and multiplication are over GF{ 2), and 
when a and b are (1, — l)-sequences, (a, b) = YmL\ where the addition and 
multiplication are over the reals. 

An affine function / on V n is a function that takes the form of f(x-i ..... x n ) = 
aixi ® • • • ® a n x n ® c, where aj,c £ GF( 2), j = 1,2 , . . . , n. Furthermore / is 
called a linear function if c = 0. 

A (1, — l)-matrix N of order n is called a Hadamard matrix if NN T = nl n , 
where N T is the transpose of N and I n is the identity matrix of order n. A 
Sylvester-Hadamard matrix of order 2 n , denoted by H n , is generated by the 
following recursive relation 


H 0 = 1 , H n = 


= 1 , 2 ,.... 


Let £i, 0 < i < 2” — 1, be the i row of H n . It is known that b, is the sequence 
of a linear function ipi(x) on V n , defined by the scalar product >fii(x) = ( on,x ), 
where a, is the binary representation of an integer i. 

The Hamming weight of a (0, l)-sequence <j, denoted by HW(£), is the num- 
ber of ones in the sequence. Given two functions / and g on V n , the Hamming 
distance d(f,g) between them is defined as the Hamming weight of the truth 
table of f{x) ® g(x), where x = (ad, , x n ). 


3 Cryptographic Criteria of Boolean Functions 

The following criteria for cryptographic Boolean functions are often considered: 
(1) balance, (2) nonlinearity, (3) avalanche, (4) correlation immunity, (5) 
algebraic degree, (6) absence of non-zero linear structures. In this paper we 
focus on avalanche, nonlinearity and correlation immunity. 

Parseval’s equation (Page 416 [8]) is a useful tool in this research: Let / be a 
function on V n and £ denote the sequence of /. Then Ya=o = 2 2n where 

li is the ith row of H n , i = 0, 1, . . . , 2" — 1. 

The nonlinearity of a function / on V n , denoted by Nf, is the minimal Ham- 
ming distance between / and all affine functions on V n , i.e., 

Nt= min d(f,ipi) 

i= l,2,...,2 n + 1 

where ipi, • • ., VV+ 1 a re all the affine functions on V n . High nonlinearity can 
be used to resist a linear attack [9]. The following characterization of nonlinearity 
will be useful (for a proof see for instance [10]). 

Lemma 1. The nonlinearity of f onV n can be expressed by 

N f = 2” -1 - lmax{|<£, 4>|,0 < i < 2 n - 1} 

where £ is the sequence of f and £o, ■ ■ •> ^ 2 n -i are the rows of H n , namely, the 
sequences of linear functions on V n . 
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From Lemma 1 and Parseval’s equation, it is easy to verify that Nf < 2" 1 — 
22 n ~ 1 for any function / on V n . A function / on V n is called a bent function if 
(£, fy} 2 = 2" for every i, 0 < i < 2 n — 1 [13]. Hence / is a bent function on V n 
if and only Nf = 2" _1 — 2s" ' It is known that a bent function on V n exists 
only when n is even. 

Let / be a function on V n . We say that / satisfies the avalanche criterion 

with respect to a if f(x)® f(x® a) is a balanced function, where x = {x\ ,x n ) 

and a is a vector in V n . Furthermore / is said to satisfy the avalanche criterion 
of degree k if it satisfies the avalanche criterion with respect to every non-zero 
vector a whose Hamming weight is not larger than k. 1 From [13], a function 
/ on V n is bent if and only if / satisfies the avalanche criterion of degree n. 
Note that the strict avalanche criterion (SAC) [18] is the same as the avalanche 
criterion of degree one. 

Let / be a function on V n . For a vector a e V n , denote by ((a) the sequence 
of f(x® a). Thus £(0) is the sequence of / itself and £(0) * £(a) is the sequence 
of f(x) ® f(x®a). Set Af(a) = (£(0), £(a)), the scalar product of£(0) and£(a). 
A(a) is called the auto-correlation of / with a shift a. We omit the subscript of 
Af(a) if no confusion occurs. Obviously, A(a) = 0 if and only if f{x) ® f(x © a) 
is balanced, i.e., / satisfies the avalanche criterion with respect to a. In the case 
that / does not satisfy the avalanche criterion with respect to a vector a, it 
is desirable that f(x)®f(x® a) is almost balanced. Namely we require that 
\Af(a)\ take a small value. 

Let / be a function on V„. a € V n is called a linear structure of / if /d(a] = 
2" (i.e., f(x)®f(x®a) is a constant). For any function /, we have A(a o) = 2", 
where op is the zero vector on V n . It is easy to verify that the set of all linear 
structures of a function / form a linear subspace of V n , whose dimension is called 
the linearity of f. A non-zero linear structure is cryptographically undesirable. 
It is also well-known that if / has non-zero linear structures, then there exists a 
nonsingular n x n matrix B over GF( 2) such that f(xB) = g(y) ® ip(z), where 
x = (y,z), y e V p , z £ V q , g is a function on V p that has no non-zero linear 
structures, and if is a linear function on V q . 

The following lemma is the re-statement of a relation proved in Section 2 
of [4], 

Lemma 2. For every function f on V n , we have 

{A(ao), A(a±), . . .,A(a 2 n_ r))^ = «fy4} 2 , (fy^i) 2 , • • • , (fy^-i) 2 ). 

where £ denotes the sequence of f, fy is the ith row of H n , and a, is the vector 
in V n that corresponds to the binary representation of i, i = 0, 1, . . . , 2" — 1. 

1 The avalanche criterion was called the propagation criterion in [12], as well as in all 
our earlier papers dealing with the subject. Historically, Feistel was apparently the 
first person who coined the term of “avalanche” and realized its importance in the 
design of a block cipher [6]. According to Coppersmith [5], a member of the team 
who designed DES, avalanche properties were employed in selecting the S-boxes used 
in the cipher, which contributed to the strength of the cipher against various attacks 
including differential [1] and linear [9] attacks. 
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The concept of correlation immune functions was introduced by Siegenthaler 
[17]. Xiao and Massey gave an equivalent definition [2,7]: A function / on V n is 
called a kth-order correlation immune junction if Yl x ev n f ( x )(~ = 0 for 
all 0 e V n with 1 < HW(/3) < k, where in the the sum, f(x) and (ft, x) are 
regarded as real- valued functions. From Section 4.2 of [2], a correlation immune 
function can also be equivalently restated as follows: Let / be a function on 
V n and let £ be its sequence. Then / is called a kth-order correlation immune 
junction if (£,£) = 0 for every £, where l is the sequence of a linear function 
ip{x) = ( a,x } on V n constrained by 1 < HW(a) < k. It should be noted that 
(£, t) = 0, if and only if f(x)® ! p(x) is balanced. Hence / is a fcth-order correlation 
immune function if and only if f(x) ® <p(x) is balanced for each linear function 
ip(x) = ( a,x } on V n where 1 < HW(a) < k. Correlation immune functions 
are used in the design of running-key generators in stream ciphers to resist a 
correlation attack. Relevant discussions on correlation immune functions, and 
more generally on resilient functions, can be found in [22]. 

4 A Tight Lower Bound on Nonlinearity of Boolean 
Functions Satisfying Avalanche Criterion of Degree p 

Let (ao,ai, . . . , 02 »-i) and (bo, bx , . . . , & 2 "-i) be two real-valued sequences of 
length 2”, satisfying 

(cio, a 2 ^-x)H n = (bo, bx, • • • , & 2 »-i| (1) 

Let p be an integer with 1 < p < n — 1. Rewrite (1) as 

(do, di, . . . , a 2 n-\)(H n _p x H p ) = (bo, bx, . . . , & 2 n -i) (2) 

where x denotes the Kronecker product [19]. Let e.j denote the itli row of H p , 
j = 0, 1, . . . , 2 P — 1. For any fixed j with 0 < j < 2 P - 1 . comparing the jth, 
(j + 2 p )th, . . ., (j + (2 n ~ p — l)2 p )th terms in both sides of (2), we have 

(d 0 ,dl, . . . ,d2»-l)(i?„- p X ej) = (bj,bj + 2P,bj + 2.2P, ■ ■ ■ ,b j+ (2 n -P-X)2i>) 

Write (do, ax, ■ ■ ■ , d 2 »-i) = (xo, Xi, • • • , X 2 n -p-i) where each \i is of length 
2 P . Then we have 

((Xo, ej), (xx, ej), ..., (x 2 n-p-x ,ej))H n _ p = (bj,b j+ 2 p,b j+ 2 . 2 p, • ■ • , b J+ ^~p-x) 2 p) 
or equivalently, 

2"“ p ((xo, ej), (xi ,ej), ..., (X 2 — *-i, ej)) 

= ( bj , bj +2 p,bj+2.2p, • • • , bj + (2n-p_x)2p)H n - p (3) 

Let li denote the i row of T/ n _ p , where j = 0,l,...,2 ra_p — 1. In addi- 
tion, write (bj, bj + 2 P,bj + 2 - 2 p, ■ ■ ■ , bj + ( 2 n -p-i) 2 p) = Aj, where j = 0, 1, . . . , 2 P — 1. 
Comparing the *th terms in both sides of (3), we have 2 n ~ p (xi,ej) = (\j,£i) 
where Xi = ( a i- 2 p , ax+i- 2 p , ■ ■ ■ ■ d 2 p-i+i- 2 J>)- These discussions lead to the follow- 
ing lemma. 
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Lemma 3. Let (ao, ai, . . . , a 2 «--x) and (bo, bx, . . . , &2»*-i) be two real-valued se- 
quences of length 2 n , satisfying 

(ao, a 2 ^~i)H n = (bo, b \, . . . , &2*>-i) 

Let p be an integer with 1 < p < n — 1. For any fixed i with 0 < i < 2 n ~ p — 1 
and any fixed j with 0 < j < 2 P — 1, let Xi = ( a i- 2 p, ai+*-2P, ... , a2J>-iff$p) and 
A j = (bj , bj+ 2 P , bj+ 2 - 2 p , ■■■, 2«-i , -i)2p). Then we have 

2"“ p (Xi,e j ) = (XjJi), i = 0,l,...,2 n ~ p - 1, j = 0, 1, . . . , 2 P - 1 (4) 

where li denotes the ith row of H n _ p and ej denotes the jth row of H p . 

Lemma 3 can be viewed as a refined version of the Hadamard transformation 
(1), and it will be a useful mathematical tool in proving the following two lemmas. 
These two lemmas will then play a significant role in proving the main results 
of this paper. 

Lemma 4. Let f be a non-bent function on V n , satisfying the avalanche crite- 
rion of degree p. Denote the sequence of f by f. If there exists a row L* of H n 
such that |(£,L*}| = 2 n ~^ p , then a 2 t+j> + 2P-i is a non-zero linear structure of f, 
where a 2 t+P + 2?_i is the vector in V n corresponding to the integer 2 t+p + 2 P — 1, 
t = 0, 1, . . . ,n — p — 1. 

Proof. First we note that p > 0. Since / is not bent, p < n — 1. Let us first 
rewrite the equality in Lemma 2 as follows 

(A(a 0 ),A(ax), • • • , A(a 2 p-x))H n = «£, L 0 } 2 , f , Lx) 2 , L 2 »_ r) 2 ) (5) 

where on is the vector in V n corresponding to the integer i, and L, is the ith 
row of H n , i = 0, 1, . . . , 2 n - 1. Set z = 0 in (4). Then we have 2 n ~ p (xo, e 5 ) = 
(\j,Io). Since / satisfies the avalanche criterion of degree p and HW(a :l ) < p, 
j = 1, . . . 2 p - 1, we have 

A(a 0 ) = 2”, A(ax) = ■■■ = A(a 2P - 1) = 0 (6) 

Applying 2 n ~ p (xo,ej) = (Aj,f?o) to (5), we obtain 

2""M(«o)= E ^ L 3+u.2p? 

u = 0 

or equivalently 

E (Z,L j+u . 2P ) 2 = 2 2n ~ p (7) 

u=0 

Since L* is a row of H n , it can be expressed as L* = Lj 0+Uo . 2 p, where 0 < jo < 
2 P — 1 and 0 < uo < 2 n ~ p — l. Set j = jo in (7), we have Ylu=o _1 (£> Lj 0+U . 2 p) 2 = 
2 2n ~ p . From 


(Z,L j0+U0 .2P) 2 = (t;,L*) 2 = 2 2n - p 


(8) 
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we have 


<£, Lj 0+u . 2 p) = 0, for all u, 0 < u < 2 n ~ p - 1 ,u^u 0 (9) 

Set i = 2 t and j = jo in Lemma 3, where 0 <t < n — p I , we have 

2 " _p (X 2 *, e jo ) = (\j 0 ,e 2 *) (10) 

where £ 2 t is the 2 4 th row of H n _ p and e JO is the joth row of H p , j = 0 , 1 , . . . , 2 P - I . 
As / satisfies the avalanche criterion of degree p and HW (aj) <p,j = 2 t+p , 1 + 
2 t+p , ...,2 p -2 + 2 t+ P, we have 

A(a 2 t+ P ) = A(a 1+2 t+ P ) = ■ ■ • = A[a 2P _ 2+ 2 *+p) = 0 (11) 

Applying (10) to (5), and considering (8), (9) and (11), we have 
2 n -PA(a 2P _ 1+2P+t ) = ±2 2n ~P 


and thus 

A(a 2 P_i+2P+t) = ±2" 

This proves that a 2 p-i+2P+* is indeed a non-zero linear structure of /, where 
t = 0, 1, •. . . ,n — p — 1. □ 

Lemma 5. Let f be a non-bent function on V n , satisfying the avalanche crite- 
rion of degree p. Denote the sequence of f by £. If there exists a row L* of H n , 
such that |(£, L*)\ = 2 n ~^ v , thenp = n — 1 and n is odd. 

Proof. Since |(£,L*}| = 2 n ~^ p , p must be even. Due to p > 0, we must have 
p > 2. We now prove the lemma by contradiction. Assume that p ^ n I . Since 
p < n, we have p < n — 2. As |(£,L*)| = 2 n ~^ p , from Lemma 4, a 2 t+ P+ 2P-i 
is a non-zero linear structure of /, where t = 0, 1, . . . , n — p — 1. Notice that 
n — p — 1 > 1. Set t = 0,1. Thus both a 2P+2 p-i and a 2 P+i + 2 P-i are non-zero 
linear structures of /. Since all the linear structures of a function form a linear 
subspace, a 2 p+2P-i ffi ai2P+i+2p-i is also a linear structure of /. Hence 

A(a 2P . |-2 p-i ® a 2 P+i + 2P-i) = ±2" (12) 

On the other hand, since / satisfies the avalanche criterion of degree p and 
i?W(a!2P+2P-i'® Qf2P+ 1 +2 p -i) = 2 < p, we conclude that 
A(a 2P+2P -i ® a 2 p+i + 2P-i) = 0. This contradicts (12). Thus we have p > n — 2. 
The only possible value for p is p = n — 1. Since p is even, n must be odd. □ 

Theorem 1. Let f be a function on V n , satisfying the avalanche criterion of 
degree p. Then 

(i) the nonlinearity Nf of f satisfies Nf > 2 n ~ 1 — 2 n ~ 1 ~^ p , 

(ii) the equality in (i) holds if and only if one of the following two conditions 
holds: 



On Relationships among Avalanche, Nonlinearity, and Correlation Immunity 477 


(a) p = n — 1, n is odd and f(x) = g(x i®x n , . . . ,x n -\®x n )®h{x\, . . . ,x n ), 
where x = {x \, . . . , x n ), g is a bent function on V n -\, and h is an affine 
junction on V n . 

(b) p= n, f is bent and n is even. 

Proof. Due to (7), i.e., J2u = o _1 (^, Lj +U . 2 p) 2 = 2 2n ~ p , we have (£, Lj +U . 2 p} 2 < 
2 2n ~P. Since u and j are arbitrary, by using Lemma 1, we have Nf > 2 n ~ 1 — 
2 ”- 1 ~ 2 p. Now assume that 


Nf = 2 n ~ 1 - 2 n ~ 1 -5 p (13) 

From Lemma 1, there exists a row L* of H n such that {£, L*)\ = 2 n ~^ p . Two 
cases need to be considered: / is non-bent and / is bent. When / is non-bent, 
thanks to Lemma 5, we have p = n— 1 and n is odd. Considering Proposition 1 
of [3], we conclude that / must takes the form mentioned in (a). On the other 
hand, if / is bent, then p = n and n is even. Hence (b) holds. 

Conversely, assume that / takes the form in (a). Applying a nonsingular 
linear transformation on the variables, and considering Proposition 3 of [11], we 
have Nf = 2N g . Since g is bent, we have Nf = 2 n ~ 1 — 2%( n ~ 1 \ Hence (13) holds, 
where p= n — 1. On the other hand, it is obvious that (13) holds whenever (b) 
does. □ 

5 Relationships between Avalanche and Correlation 
Immunity 

To prove the main theorems, we introduce two more results. The following lemma 
is part of Lemma 12 in [15]. 

Lemma 6. Let f\ be a function on V s and f 2 be a function on Vt- Then 
fi{x,\ x s ) ® /2 (2/1 , ■■ - ,yt) is a balanced function on V s+t if fi or f 2 is bal- 

anced. 

Next we look at the structure of a function on V n that satisfies the avalanche 
criterion of degree n—1. 

Lemma 7. Let f be a function on V n . Then 

(i) f is non-bent and satisfies the avalanche criterion of degree n—1, if and 

only ifn is odd and f(x) = g(x 1 ® . . . , a;„_i® x n ) ® c\X\ ® • • -®c n x n ®c, 

where x = {x\, . . . , x n ), g is a bent junction on V n ~i, and ci, . . . , c n and c 
are all constants in GF{2), 

(ii) f is balanced and satisfies the avalanche criterion of degree n—1, if and only 
if n is odd and f(x) = g(x 1 ® x n , . . . , x n -\ ® x„) ® c\X\ ® • • • ® c n x n ® c, 
where g is a bent junction on V n -\, and a , . . . , c n and c are all constant in 
GF( 2), satisfying ®" =1 cj = 1. 
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Proof, (i) holds due to Proposition 1 of [3]. 

Assume that / is balanced and satisfies the avalanche criterion of degree 
n — 1. Since / is balanced, it is non-bent. From (i) of the lemma, fix) = g{x\ ® 
x n , . . . ,x n -i ® x n ) © ci^i © • • • © c n x n © c, where x = (x±, . . . ,x n ), g is a bent 
function on V n -i , and C\, . . . . c n and c are all constant in GF( 2). Set uj = xj®x n , 
j = 1, — 1. We have f(u\, . . . ,u„_ i,x n ) = g(u\, . . . ,u n t}.© ci«i © • • • © 
c„_iu„_i©(ci©- • •©c„)x„©c. Since g(u\, . . . ,u n -\)®c\X \ ©■ • -®c„_ iu n _i is a 
bent function on V n -\, it is unbalanced. On the other hand, since / is balanced, 
we conclude that ®" =1 Cj ^ 0, namely, ®" =1 © = 1. This proves the necessity 
for (ii). Using the same reasoning as in the proof of (i), and taking into account 
Lemma 6, we can prove the sufficiency for (ii). □ 


5.1 The Case of Balanced Functions 

Theorem 2. Let f be a balanced qth- order correlation immune function on V n , 
satisfying the avalanche criterion of degree p. Then we have p + q < n — 2. 

Proof. First we note that q > 0 and p > 0. Since / is balanced, it cannot be 
bent. We prove the theorem in two steps. The first step deals with p + q < n — 2, 
and the second step with p + q < n — 1. 

We start with proving that p + q < n — lby contradiction. Assume that 
p + q > n. Set i = 0 and j = 0 in (4), we have 2" -p (xo, eo) = (Ao,f?o)- Since / 
satisfies the avalanche criterion of degree p and HW (aj) <p,j = 1, ... 2 P — 1, we 
know that (6) holds. Note that HW(a u . 2 p) < n—p < q for all u, 0 < u < 2 n ~ p — 1. 
Since / is a balanced gth-order correlation immune function, we have 

(,£, To) = L 2p ) = H, L 2 . 2p ) = ■■■ = (£, L (2 n- P _ 1>2P f = 0 (14) 

Applying 2 ra_p (xo, eo) = (Ao, f?o) to (5), and noticing (6) and (14), we would have 
2 n ~ p A(ao) = 0, i.e., 2 2ra-p = 0. This cannot be true. Hence we have proved that 
P + q < n - 1. 

Next we complete the proof by showing that p+q < n — 2. Assume for 
contradiction that the theorem is not true, i.e., p + q > n — 1. Since we have 
already proved that p + q < n — 1 , by assumption we should have p + q = n — 1 . 
Note that HW(a u . 2P ) < n — p — 1 = q for all u with 0 < u < 2 n ~ p — 2, and / is 
a balanced gth-order correlation immune function, where q = n — p — 1. Hence 
(14) still holds, with the exception that the actual value of (£, L( 2 n- P _iy 2P ) is not 
clear yet. Applying 2" _p (xo,eo) = (Ao,fo) to (5), and noticing (6) and (14), we 
have 2 n ~ p A(a 0 ) = (i,L( 2 n- P _ 1 y 2 p) 2 - Thus we have (£, L^-p-i). 2 p) 2 = 2 2n ~ p . 
Due to Lemma 5, we have p = n — 1. Since q > 1, we obtain p + q > n. This 
contradicts the inequality p + q < n — 1, that we have already proved. Hence 
p + q < n — 2 holds. □ 

5.2 The Case of Unbalanced Functions 

We turn our attention to unbalanced functions. A direct proof of the following 
Lemma can be found in [21]. 
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Lemma 8. Let k > 2 be a positive integer and 2 k = a 2 + b 2 , where both a and 
b are integers with a > b > 0. Then a = 2* k and 6 = 0 when k is even, and 
a = b = 2^ ( - k ~ 1 ' ) otherwise. 


Theorem 3. Let f be an unbalanced qth-order correlation immune function on 
V n , satisfying the avalanche criterion of degree p. Then 

(i) p + q<n, 

(ii) the equality in (i) holds if and only if n is odd, p = n— 1, q = 1 and f(x) = 

g(xi ® x n , . . . , x n -i ® x n ) ® c\X\ ® • • • ® c n x m ® pj where x = x n ), 

g is a bent function on V n -i, a, . . . ,c n and c are all constants in GF{2), 
satisfying ®" =1 Cj = 0. 

Proof. Since / is correlation immune, it cannot be bent. Once again we now 
prove (i) by contradiction. Assume that p + q > n. Hence n — p < q. We keep 
all the notations in Section 5.1. Note that HW(a u . 2 p) < n — p < q for all u 
with 1 < u < 2 n ~ p — 1. Since / is an unbalanced ptli-order correlation immune 
function, we have (14) again, with the understanding that (£, Lq) ^ 0. Applying 
2" -p (xo,eo) = (Ao,f?o) to (5), and noticing (6) and (14) with (f,L 0 ) ^ 0, we 
have 2 n ~ p A(ao) = (£,L 0 ) 2 . Hence {£,L 0 ) 2 = 2 2n ~ p and p must be even. Since 
/ is not bent, noticing Lemma 5, we can conclude that p = n — 1 and n is odd. 
Using (ii) of Lemma 7, we have 

f{x) = g(x i ® x n , . . . , x n -i ® x n ) ® c\X\ ® • • • ® c n x n ® c 

where x = (xi , . . . , x n ), g is a bent function on V^_i, and ci, . . . , c n and c are all 
constants in GF( 2), satisfying ®" =1 Cj = 0. One can verify that while Xj ® /( x) 
is balanced, j = 1, . . . , n t % ® f(x) is not if j ^ i. Hence / is lst-order, but 
not 2nd-order, correlation immune. Since q > 0, we have q = 1 and p + q = n. 
This contradicts the assumption that p + q > n. Hence we have proved that 
p + q<n. 

We now prove (ii). Assume that p + q = n. Since n — p = q, we can apply 
2 n ~ p (xo,eo) = (Ao,f?o) to (5), and have (6) and (14) with (£,Lo) i ^ 0. By using 
the same reasoning as in the proof of (i), we can arrive at the conclusion that 
(ii) holds. □ 


Theorem 4. Let f be an unbalanced qth-order correlation immune function on 
V n , satisfying the avalanche criterion of degree p. If p + q = n — 1, then f also 
satisfies the avalanche criterion of degree p + 1, n is odd and f must take the 
form mentioned in (ii) of Theorem 3. 

Proof. Let p + q = n — 1. Note that HW(a u . 2 p) < n — p — 1 = q for all u, 
0 < u < 2 n ~ p — 2. Since / is unbalanced and pth-order correlation immune, we 
have (14), although once again (£,Lo) 7 ^ 0 and the value of (fy L( 2 «-j>-i). 2 p) is 
not clear yet. Applying 2 n ~ p (xo,eo) = (Ao,fy)} to (5), noticing (6) and (14), with 
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the understanding that (£, T 0 ) / 0 and (^,L( 2 n- P _ 1 y 2P ) is not decided yet, we 
have 2 n ~ p A(a 0 ) = (£,T 0 ) 2 + (£, L ^ 2n - P _ 1) . 2P ) • That is 

(£> T 0 } 2 + (£, -£/(2n-p_ 1 ). 2 p} 2 = 2 2ra p (15) 

There exist two cases to be considered: p is even and p is odd. 

Case 1: p is even and thus p> 2. Since (£, To) f 1 0) applying Lemma 8 to (15), 
we have (£, T 0 } 2 = 2 2ra_p and (£, L^ 2 n- P _ 1 y 2P ) = 0- Due to Lemma 5, p = n — 1. 
Since > 0, we have p + q > n. This contradicts the assumption p + q = n — 1. 
Hence p cannot be even. 

Case 2: p is odd. Applying Lemma 8 to (15), we obtain 

fc To) 2 = <£, T (2 n— p — 1} > 2 p ) 2 = 2 2 "-*’- 1 (16) 

Set * = 2*, t = 0, 1, . . . , n — p — 1, where n — p— 1 = q> 0, and j = 0 in (4), 
we have 


2" -p (X2 t >e 0 ) = (A 0 ,^2*) (17) 

where l 2 t is the 2 4 th row of H n ~ t and eo is the all-one sequence of length 2 P . 

Since / satisfies the avalanche criterion of degree p and HW(aj) < p, j = 
2 t+p , 1 + 2 t+p , ... ,2 p -2 + 2 t+p , (11) holds. 

Applying (17) to (5), noticing (11) and (14) with (£,T 0 ) 2 = (£, T( 2 n-p_i). 2 p) 2 
_ 22 «-p+ 1 ) we 2" _p A(a 2 t+P+2P-i) = 2 2n ~ p or 0. In other words, 
A(a 2 t+p+ 2 P-i ) = 2" or 0. 

Note that i 2 t is the sequence of a linear function -ip on V n - P where ip(y) = 
{P 2 *,y), V S V n - P , P 2 t e V n - P corresponds to the binary representation of 2 t . 
Due to (17), it is easy to verify that A(a 2 t+p _|_2P — i) — 2 n (or 0) if and only 
if (0 2 n-p_ i,/3 2 t) = 0 (or 1) where p 2 n- P _ 1 e V n - P corresponds to the binary 
representation of 2 n ~ p - 1. Note that (3 2 n- P _i = (0, . . . ,0, 1, . . . , 1) where the 
number of ones is equal to n—p. On the other hand /fy can be written as fi 2 t = 
(0, . . . , 0, 1, 0, . . . ,0). Since t < n — p — 1, we conclude that (/3 2 n- P _ 1 , /3 2 t) = 1, 
for all t with 0 <t < n — p — 1. Hence A(a 2 t+p +2P _i) = 0 for all such t. 

Note that HW(a 2 t+ P+2P _ 1 ) = p+ 1. Permuting the variables, we can prove 
in a similar way that A(a) =0 holds for each a with HW(a) = p + 1. Hence / 
satisfies the avalanche criterion of degree p+1. Due to p + q = n — 1, we have 
(p + 1) + q = n. Using Theorem 3, we conclude that n is odd and / takes the 
form mentioned in (ii) of Theorem 3. □ 

From Theorems 3 and 4, we conclude 

Corollary 1. Let f be an unbalanced qth-order correlation immune function on 
V n , satisfying the avalanche criterion of degree p. Then 

(i) p + q < n, and the equality holds if and only if n is odd, p = n— 1, q=l 
and f(x) = g(xi ® x n , . . . , x n -\ ® x n ) ® c\X\ ® • • • ® c n x n ® c, where x = 

(x \, . . . , x n ), g is a bent function on V n -\, c'i , c n and c are all constants 

in GF{2), satisfying ©" =1 Cj = 0, 

(ii) p+ q < n — 2 if q ^ 1. 
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6 Conclusions 

We have established a lower bound on nonlinearity over all Boolean functions 
satisfying the avalanche criterion of degree p. We have shown that the lower 
bound is tight. We have also characterized the functions that have the minimum 
nonlinearity. Furthermore, we have found a mutually exclusive relationship be- 
tween the degree of avalanche and the order of correlation immunity. 

There are still many interesting questions yet to be answered in this line of 
research. As an example, we believe that the upper bounds in Theorems 2 and 
3 can be further improved, especially when p and q are neither too small, say 
close to 1, nor too large, say close to n — 1. 
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Abstract. This paper analyzes the security of a hash mode recently 
proposed by Yi and Lam. Given a block cipher with m-bit block size 
and 2m-bit key, they build a hash function with 2m-bit outputs that 
can hash messages as fast as the underlying block cipher can encrypt. 
This construction was conjectured to have ideal security, i.e., to resist 
all collision attacks faster than brute force. We disprove this conjecture 
by presenting a collision attack that is substantially faster than brute 
force and which could even be considered practical for typical security 
parameters. 


1 Introduction 

The public cryptographic community has over 20 years of experience in building 
secure block ciphers. In contrast, the design of cryptographic hash functions has 
received only about half as many years of research. Yet hash functions are still 
a very important primitive to practitioners. Therefore, there is much interest in 
the problem of building a secure, fast hash function out of a secure block cipher. 

This research program has been troubled by two major challenges. First, most 
existing block ciphers have a 64 bit block size, but a hash function with a 64 
bit output cannot possibly resist collision search. Therefore, one must somehow 
securely double the width of the internal state, and this appears to be a non- 
trivial endeavor. Second, it is hard to maintain efficiency without sacrificing 
security. The critical figure of merit is the rate of the hash function, which is 
defined as the number of m-bit message blocks hashed per encryption, where 
m is the block size of the underlying cipher. Many early proposals for building 
fast hash functions have been broken; in particular, Knudsen, Lai, and Preneel 
cryptanalyzed a large class of double-length hash functions of rate 1 [1,2, 3, 4, 8]. 

In ACISP ’97, Yi and Lam proposed a new construction for building a hash 
function from a block cipher (e.g., IDEA) with m-bit block width and 2m-bit 
key size [10] . Typically, we will have m = 64. The Yi-Lam scheme has rate 1 and 
yields 2m-bit outputs. With such high performance, it is an attractive candidate 
for building a fast hash function. 

One crucial feature of the Yi-Lam design is the inclusion of incompatible 
group operations (xor and addition modulo 2 m ) to combine internal state vari- 
ables. Most previous work had used only XOR operations, so that the only non- 
linear component was the block cipher; however, Knudsen, Lai, and Preneel’s 
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work broke all such hash functions of rate 1 using m-bit keys. The use of in- 
compatible group operations in the Yi-Lam hash is apparently intended to help 
frustrate those types of attacks. 

Nonetheless, in this paper we still manage to find fast collision attacks on 
Yi and Lam’s proposal. Our attacks work by controlling the effect of the “carry 
bits.” This shows that the incompatibility of xor and addition does not add 
much strength to the Yi-Lam hash mode. 

Our primary results are as follows. We describe how to find full collisions 
for the Yi-Lam hash with 2 71 " 1 work. Also, we give a free-start collision attack 
(also known as a pseudo-collision attack [6, Section 9.7.2]) that requires only 
2 m / 2 steps of computation, when the adversary can choose the initial starting 
state of the hash function. Both attacks are very practical to implement for 
m = 64. Note that Satoh, Haga, and Kurosawa have previously shown that 
there are second-preimage attacks against this hash with complexity about 2 TO 
[9] , in contrast to its conjectured 2 2to security level. Thus, we may conclude that 
the Yi-Lam hash is neither strongly collision-free nor strongly one-way. 

Outline. This paper is organized as follows. Section 2 describes Yi and Lam’s 
new scheme briefly, for reference, and Section 3 shows how to find collisions in 
their proposal. Finally, we conclude the paper in Section 4. Appendix A includes 
a proof of our main lemma on the correlation between xor and addition. 

2 Description of the Yi-Lam Hash 

A bit of notation is in order. We write E(k,x) for the encryption of block x 
under key k. The block cipher is assumed to be free of any weaknesses. Also, 
x\\y stands for the concatenation of two blocks x and y. We let x ® y stand for 
the xor of x and y, and write x + y for the addition modulo 2 m of x and y. 
Since Yi and Lam did not name their scheme, we simply call it the Yi-Lam hash 
in this paper. 

The Yi-Lam hash operates as follows. We pad the message and divide the 
result into k blocks of size m, denoted by Mo, . . . , The 2m-bit internal 

state is named G\\H and is initialized to a fixed public value Go 1 1 H 0 . We denote 



Fig. 1. The Yi-Lam hash. 
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the compression function by h, and define h by h(G\\H. M) = G'\\H', where 
G' ,H' satisfy 

t = E(H\\M, G) G' = (t © M) + H mod 2 m H' = t®G. 

The final hash digest is computed as h(. . . h(h(Go\\H 0 , M 0 ), Mi) . . . , i). This 

construction is illustrated pictorially in Figure 1. 

Caution. Beware: there are actually two hashing constructions which could be 
called “the Yi-Lam hash.” One such scheme was proposed in Electronics Letters 
[11] (and subsequently cryptanalyzed [5]); another was published in ACISP’97 
[10]; and the two designs are quite different. In this paper, we focus on analysis of 
the ACISP’97 proposal. To avoid confusion, phrases such as “the Yi-Lam hash” 
should be understood to refer to the ACISP’97 proposal. 

3 Collision Resistance 

In this section, we explore the collision-resistance of the Yi-Lam hash. We exhibit 
a free-start collision attack with complexity 2 m / 2 , and then we extend this to a 
full collision attack with complexity 2 nm . This is substantially lower than the 
conjectured security factor of 2 m for security against collision attacks. For the 
suggested parameters (i.e., m = 64), even the full collision attack is well within 
reach of most adversaries in practice, since it requires only 2' 71x64 < 2 46 work. 

The free-start attack. First, we describe a free-start collision attack on the 
Yi-Lam hash, as promised. Calculate 

G'||//' = h(G,- 0. Gi) i-- 1 . r>. 

for n = 2 m / 2 values of Gi, observing that G\ = H' for all i. We search for a pair 
i.j with H[ = Hj. Then G' = H' = iJj = G' , so this produces a pseudo-collision 
for the compression function. 

The total computational complexity of this attack is 2 m / 2 encryptions. A 
naive implementation of this attack might require 2 m / 2 units of storage, but we 
note that using Floyd’s cycle-finding algorithm or any of its improvements [7] 
reduces the storage complexity of the attack to a very small constant. 

The full collision attack. In the remainder of this section, we will analyze 
the security of the Yi-Lam hash against full collision attacks. Let G,||JLj (for 

i = 1 ») be any n values for the chaining variables. For instance, we could 

select Gi\\Hi = h(Go \\H ij, Xj) for n different message blocks X, . 

To aid the intuition, let’s first consider a variant of the Yi-Lam hash where 
all additions are replaced by xors. Imagine calculating the values 

G'||ff' = h(Gi\\Hi, Gi ® Hi) i = 
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for n = 2 m / 2 arbitrary values of G, \ \ H, (which could be obtained by hashing n 
different message prefixes). Then we would have the relation G\ = H[ for all i, 
since 

G\ ®H' i =t i ®M i ®H i ®t i ®Gi = 0. (1) 

After about n = 2 m - /2 trial hashes, we would expect to find some i ^ j such that 
H- = Hj by the birthday paradox. This would imply that G\ = H- = H'- = G' , 
so this algorithm would give a full collision in this Yi-Lam variant after 2 m / 2 
trial hash computations. 

Of course, the real Yi-Lam hash mixes addition with xor to prevent these 
sorts of attacks. So we need to extend our analysis to handle the carry bits. 
We begin by establishing a simple lemma on the incompatibility of xor and 
addition. 

Lemma 1. Ifa,b,c are independently and uniformly distributed over all m-bit 
values, then 

Pr[(a Gc) - (b © c) = a - b mod 2 m ] = (S/A)™- 1 > 2~ A2m . 

Proof. See Appendix A. 

For the collision attack on the full Yi-Lam hash, we suggest calculating the 
values 

G'iWHl = h(Gi\\H t ,'Gti © {-Hi)) i = 1 , . . . ,n, 
for n values of G, 1 1 H, . where — H, denotes the additive inverse of Hi modulo 
2 m . The analysis goes as follows. Suppose that, for some pair i ^ j, we have 
H[ = H). Then G\ = (W'©(-f/, : )) + and similarly G) = (H)®{-H i ))®H 3 = 
{Hi © {—Hj)) + Hj. Now the lemma ensures that 

{Hi © {-Hi)) - {Hi © {-Hj)) = {-Hi) - {-Hj) = Hj - Hi mod 2 m 

holds with probability > 2 _ 42m , so G' = G' with the same probability. With 
n = 2 nm trials, we expect to see 2 ,42m_1 pairs i,j such that H[ = Hj, which is 
enough that with non-negligible probability we expect to see one of them where 
Gt = G'j also holds. 

To summarize, this shows how to find a collision in the Yi-Lam hash with 
about 2- 71m offline hash computations. We expect that the storage complex- 
ity of the collision-finding attack will be negligible, if parallel collision search 
techniques are used to implement the attack [7]. 

4 Conclusions 

We have shown that the Yi-Lam hash has serious flaws, and it is clear that 
the construction offers only minor benefits over traditional single-length hash 
functions. 

The fundamental problem is that the Yi-Lam construction relied on the non- 
linearity of the carry bits found in modular addition. However, addition possesses 
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only mild nonlinearity properties, and we have seen that in this case they were 
not enough to resist attack. 

We considered a Yi-Lam variant where the addition operation is replaced by 
an xor operation, and found a relation (see Equation 1) between the inputs and 
outputs of the compression function that is linear over XOR. This linear relation 
allows one to break the variant with a trivial attack. With the addition operation 
in place, the corresponding relation is no longer XOR-linear, but it is nearly so, 
and this permits a simple extension to the previous attack to handle the slight 
nonlinearity. 

Therefore, our results provide some evidence to suggest that merely including 
an incompatible group operation in the hash design may not be sufficient to 
assure security. This does not rule out the possibility that mixing incompatible 
operations might improve the security of some cipher-based hash functions — at 
least in the case of the Yi-Lam hash, the inclusion of the addition operation did 
appear to frustrate certain trivial attacks — but we advise caution. We propose 
that in the future it would be wise for designers to avoid relying on addition 
modulo 2 m (instead of xor) too much. 
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A Proof of Lemma 1 

Lemma 1. Ifa,b,c are independently and uniformly distributed over all m-bit 
values, then 

Pr[(a 0 c) — (6 © c) = a — b mod 2 m ] = (3/4)— 1 > 2“' 42m . 

Proof. We rearrange the equation to become 

(a ® c) + b = a + (b ® c) mod 2 m . 

Let d stand for the left-hand carry bits, and e the right-hand carry bits. Then 
(a © c) —l> — (a © c) G b G d mod 2"'. and a + (b ® c) = a ® (£> © c) ® e mod 2 m . 
so our required equation becomes 

(a ® c) ® S © d = a ® (b ® c) © r mod 2 m . 

In short, we need only calculate the probability that d = e. Let dj be the 
j-th bit position in d, for j = 0, ...,m — 1, where do is the least significant 
bit of d. Define e,j and cj similarly. We have do = eo = 0 trivially. Now we 
proceed inductively. Suppose that dj = e, for i = 0 , . . . , j where 0 < j < 31. We 
know that dj + 1 is computed as the majority function of aj(Bcj, bj, and dj; also, 
ej + 1 is calculated as the majority of aj, bj ® Cj, and e,j = dj. If Cj = 0 , then 
clearly d 7 +i = ej+i- On the other hand, if Cj = 1, then dj + \ — e J+ i holds with 
probability exactly 1/2 (i.e., in the case that aj ^ bj ). Moreover, the probabilities 
for each bit position are independent, so we can multiply them. Therefore, for 
any fixed value of c the probability is 2~ w ( c \ where W (c) denotes the Hamming 
weight of c, and c denotes the m — 1 least significant bits of c. 

Summing over c and applying the binomial theorem, we get that the desired 
probability p satisfies 


2~ Wm 

_ 2~ m+i 'y ^ 2~ w ( c ') 

c'<2 m_1 



= 2~ m+1 ■ (1 + l/2) ? 
= 2~ m+1 ■ (3/2)— 1 
= (3/4)— 1 

isa 2 -- 415 ( m - 1 ) 

> 2 - 42m . 


This completes the proof. 
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Abstract. Since Power Analysis on smart-cards was introduced by Paul 
Kocher [KJJ98], the validity of the model used for smart-cards has not 
been given much attention. In this paper, we first describe and ana- 
lyze some different possible models. Then we apply these models to real 
components and clearly define what can be detected by power analysis 
(simple, differential, code reverse engineering...). We also study, from a 
statistical point of view, some new ideas to exploit these models to at- 
tack the card by power analysis. Finally we apply these ideas to set up 
real attacks on cryptographic algorithms or enhance existing ones. 

Keywords: Smart-cards, Power analysis, DPA, SPA. 


1 Power Consuming Models for Smart-Cards 

In cryptographic protocols, we normally assume that the attacker has at most 
the knowledge of the algorithm used and some input and/or output values. In the 
attack on smart-cards based on power-analysis, the situation is quite different: we 
assume the attacker has access to more than this, namely, see (within a certain 
limit) what is done during the computation. Therefore, we need to specify what 
kind of knowledge could be extracted from a card. 

1.1 Sensitive Instructions 

As opposed to modern computers, the smart-card processor is very limited in 
terms of capabilities, registers and memory. Usually, the arithmetic or the logi- 
cal operations (xor, or, add...) are executed through a special register (e.g. the 
A-accumulator for Intel 8051 compatible family). Therefore, the programmer 
cannot load the variables to registers, execute the instructions on them and 
afterwards store them in their final positions in the memory. So, during the en- 
tire execution of a program, the micro-controller is always loading/saving the 
output of the calculation to/from memory. Moreover, the limited memory of the 
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devices often obliges the programmer to implement his code in a straightforward 
manner. 

The limited set of instructions is another advantage for the attacker: usually, 
all the instructions involve at most two 8-bits variables for the input and one 
for the output. In most cases one or two of these variables is a special register. 
Taking advantage of this, the attacker can easily study nearly all the instruction 
set. 

For these reasons, it seems reasonable to assume that a good point to attack 
a smart-card is when the processor is loading/saving a value. 


1.2 Some Consumption Models 

A smart-card, even if it is one of the most simple processors, consists of a lot 
of different blocks: the processor itself, the memory, the Bus ... This is why we 
need to consider a very general model to represent it correctly. All these blocks 
are perturbed by external parameters and so will react differently everytime (the 
power supply can fluctuate, so the clock ...). 

Executing an instruction on a smart-card, like on most micro-controllers, 
takes several machine cycles. For example, the XOR of two values could be 
processed as follows by the CPU: 

— analyze which instruction is to be executed (e.g. XOR); 

— load the variables; 

— execute the calculation; 

— store the result. 

Those operations can of course be pipelined and so are not serial in time. 

This first (simple) analysis shows that, to model the power consumption of a 
smart-card, several things need to be taken into account: 

— the instruction which is executed; 

— the data involved in the calculation (input, output); 

— the location in RAM/ROM of the instruction executed and the data; 

— the instructions involved before and after the instruction considered; 

— some random fluctuation. 

Based on these considerations and some experimentations we consider here 
the following general model: the power consumption of an instruction I (an 
array P[I,l..n\ where n is the number of point during the acquisition of the 
instruction) could be represented as follows: 

P[I] = P gen [I) x N gen 
+ P in [I, V in ] x N in 
+ P out [I, V in , V out ] X N out 
+ Plast[I',V , ]xN last 
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Where: 

— P gen is the general consumption of the instruction and N gen the fluctuation 
of P gen (i.e. location of the code in ROM/EEPROM ); 

— Pin\Yin\ is the power consumption of the input operand (we shall see that 
in first approximation, the power consumption does not depend on the in- 
struction executed) and Ni n the noise associated; 

— P ou t[I, Vin, V out ] is the power consumption of the output operand (this time, 
of course, it depends on the nature of the instruction) and N out the noise 
associated; 

— Plast[I',V'] represents the influence of the preceding instructions and their 
input /output and Ni ast / next the associated noise. 

1.3 Consumption Model for the Data 

Intrinsic behaviour of the micro-controller hardware shows the following charac- 
teristics : 

— there are some gates which commute when a value changes (0 — > 1 or 1 — > 0); 

— the bus drives the bit of information (so the value of a bit changes the 
consumption); 

— some bits influence some other places in the micro-controller (e.g. the carry, 
the overflow); 

— writing a 0 or a 1 does not consume the same power. 

Taking these considerations into account, we can define the following different 
models: 

- Global : P[x\ = K x 

- Linear : P[x] = Xi x P t 

- Flipping: P[x] = F(x,xi ast ) 

- Quadratic: P[x ] = o s 12 j= o ^oOy-Fboy + X 0Uj P 0U . 

U-XiOijPiOij + -Xiiy-Piiy 

where: 

- X a b i:j = 1 iff Xi = a and Xj = b 

- P a bij is the associated consumption. 

- Xi corresponds to bit i of x. 

The global model is the most general one: it implies a specific consumption 
for every possible value. 

The linear model assumes that every bit has a specific weight and is indepen- 
dent of the other bits. For example if you fix Pi = 1 for all i < n you obtain a 
’’hamming weight consumption” model. 

The flipping model can represent the case where the last value influences the 
consumption. For example if you take F = HW(data ® datai ast ) - where HW 
is the hamming weight - it represents the number of bit flips between the last 
data which has been manipulated and the actual one. 

The quadratic is more powerful. It can represent component where the consump- 
tion depends on the value of the bits taken two at a time. 

Now let us see how this model is correlated to reality. 
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2 Real Smart-Cards 

All the results given are based on two different models of smart-card processors 1 : 
a low cost model and a more powerful one. But after further experimentation it 
seems that most smart-cards behave in a similar way to the defined consumption 
models. 

We want to point out that some aspects have not been considered in the 
present paper: 

— it was assumed that the instructions all had the same consumption model; 

— the influence of past instructions were not taken in account. 


2.1 Generalities 

It appears that most of the processor consumption is due to the instruction 
being executed. The associated noise is relatively small and probably takes into 
account the previous executed instructions; the rest of the consumption comes 
from the values involved in the calculation (input and output). 


Instruction 

Data 

Last instructions/datas 

Noise after filtering 

85% 

9% 

5% 

1% 


2.2 Validity of the Memory Models in Practice 

Many people have concluded (cf. [KJJ98, CJRR99a, BS99]) that the consump- 
tion of the card directly depends on the Hamming weight, or the number of 
changes 0 <-> 1 in the binary value considered. It appears that the Hamming 
weight model is not adapted to the two smart-cards we studied. 

The diagrams in figure 1 show the consumption associated with the storage 
of a value in RAM ordered by hamming weight, and this for the two different 
smart-cards. If this hypothesis was true we should see an increasing curve which 
is not the case. By ordered we mean that the values x\ . . . #256 of the average 
consumption of the ’’store-*” instruction were taken and ordered by respecting 
the following: x t < Xj 4=> HW(i ) < HW(j ) where HW(i) represents the 
Hamming weight of i. If HW (i) = HW ( j ) then we did order the value comparing 
their consumption. 

One can see from figure 1 that for a given consumption, one would get dif- 
ferent hamming weight values. 

We need to find a more appropriate model. We have ordered the values of 
consumption to have a reference to the correct model. The goal was to find 
an order on [0..255] which is close to the real order obtained by sorting the 
power consumptions. Due to the architecture of the micro-controller we have 
decomposed the value n G [0,256] in its binary form m,..,ng. The first idea 
was to find a ’’linear” order: this means assigning some weight to the different 

1 the exact models are obviously not given here 
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Fig. 1 . Hamming Weight Model 


bits of n. To compare n to m, once the weights p \ , .... pg have been chosen, 
you compare n\.p\. + ... + ng.pg to mi.pi + ...mg.pg. For example the hamming 
weight corresponds to pi = P 2 = ... = pg = 1 and the natural order to pi = 2 8-1 . 
Taking for pi the average difference of consumption of the bit i (comparing the 
consumption between ”Zoad(x)” and ”load(y)” where Xj = yj except for the bit 
i (see below figure 3)) we obtain the following curves (figure 2) 



I 

I 



Fig. 2. Best Linear Model 


We can clearly see that even if the results are satisfying, we are still far from 
the expected curve for the low end component (we add a ’’reference” curve : the 
curve obtained by sorting the consumption) . To check if the ’’linear” model was 
correct, we computed for all values the difference caused by changing just one 
bit in the operand. 
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The table in fig. 3 presents all the results. The ’bit i’ column is obtained by 
the following computation: the 128 values where the i’th bit was 0 were taken and 
for each individual value the i’th bit was turned on. The individual consumption 
changes were measured. Then, we extract the minimum and the maximum of 
the 128 values and compute the average and the standard deviation to sum up 
the results: 


Component 

Consumption 

bit 0 

bit 1 

bit 2 

bit 3 

bit 4 

bit 5 

bit 6 

bit 7 

low 

cost 

average 

11.9 

11.3 

11.4 

12.1 

7.0 

32.3 

34.5 

44.85 

min 

-12.1 

-25.6 

-15.1 

-15.4 

-30.0 

1.2 

-8.0 

7.2 

max 

4U.5 

42.2 

45.7 

60.0 

45.0 

67.6 

73.7 

86.7 

standard deviation 

10.3 

11.7 

10.8 

13.6 

14.1 

11.9 

16.9 

16.3 

high 

average 

12.1 

-21.9 

16.1 

10.7 

14.1 

-20.1 

-5.0 

10.3 

min 

5.3 

-27.7 

8.5 

5.7 

7.7 

-25.3 

—11.0 

3.6 

max 

17.0 

-15.5 

24.0 

18.1 

19.7 

-14.0 

2.4 

16.9 

standard deviation 

2.3 

2.4 

2.4 

2.4 

2.4 

2.4 

2.8 

2.7 


Fig. 3. Comparison in mV of the influence of one bit on low and high cost 
component 


We can notice some interesting things that explain previous curves: 

In both components, one can notice that flipping a bit from 0 to 1 does 
not affect the consumption by an equal difference. Moreover it can either in- 
crease or decrease the consumption. So it shows that in this case the hamming 
weight model is totally inadequate. 

The influence of each bit is not increasing or decreasing with its position 
inside the byte. 

For the low cost component, the variance is very important (i.e. for the bit 
6, it can increase or decrease the consumption) explaining that the ’’best linear 
model” is not adequate. But, if we consider the following simplified quadratic 
model: we consider only the terms 1 (a bit only influences the bit just before 
and just after); then the curve is very close to the sorted one (not presented here). 

For the high cost component the variance is significantly reduced. The silicon 
founder may have tried to separate the consumption of each bit, inducing this 
difference. 

Now that we have a better model, let us see statistically how much informa- 
tion we can get from a card. 
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3 Attacks 

In this section, we will consider that the following models are good enough to 
be as precise as the ideal one: 

- simplified boolean polynomials of degree 2 for the low cost smart-card; 

— best linear model for the high cost smartcard. 


3.1 Existing Attacks 

One of the most common attack by power-analysis is the DPA attack against 
DES. For more details, see [KJJ98]. The interesting aspect here is that this 
attack is based on the following assumption: 

On average, the consumption of the card computing with values x such as 
Xi = 0 2 can be distinguished from the consumption where x t == 1. 

We need to prove this assumption. It would be obvious if the card was re- 
specting the Hamming weight model, but, judging by our results, this is not 
clear. Table 4 presents some results about the efficiency of a DPA attack. We 
have computed the average consumption of the set of x such as x 1: = 0 (resp 
Xi = 1). 


Component 

Consumption for 

bit 0 

bit 1 

bit 2 

bit 3 

bit 4 

bit 5 

bit 6 

bit 7 

colt 

Xi = 0 

0.474 

0.475 

0.475 

0.473 

0.485 

0.429 

0.424 

0.402 

xiiggi | 

0.526 

0.525 

0.525 

0.527 

0.515 

0.571 

0.575 

0.598 

high 

Xi =0 

0444 

0498 

0T25 

0T50 

0434 

0.406 

0476 

0452 

XjSl 

0.556 

0.602 

0.575 

0.550 

0.566 

0.593 

0.524 

0.548 


Fig. 4. Efficiency of a DPA attack on low cost and high cost component 


The table above confirms the experimental attack: the difference between the 
two distributions is quite important for every bit of data. But this attack being 
based on an imperfect model, we have tried to use a better model to enhance 
existing attacks and imagine new ones. 


3.2 PODPA (Perhaps Optimal Differential Power Analysis ) 

Theory: Ordering the consumption, we compute the sets of value A and B such 
that: 

— A and B are disjoint, Au B = [0, ..255] 

— |A|=|B|=128 

— V(x, y) £ Ax B, consumption (a;) < consumption^) 

2 Xi is the bit i of x 
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Then we obtain a much higher difference between the consumption of subset 
A and B than in the usual DPA case: 

— 36.7% / 63.3% for the low cost component; 

- 34.3% / 65.7% for the high cost one. 

In real attacks, this results in an improvement by a factor 5 (number of messages 
needed for a successful attack). Moreover, in critical situations (low quality ac- 
quisition, cards allowing few tries), it could result in a sufficient improvement to 
make an otherwise unsuccessful attack work. 


Practical Scenario: we assume for this example that the scheme of DES is 
known. As in the classical DPA attack, we repeat the following operations on 
several DES acquisitions with the message M: 

— apply IP (DES Initial Permutation) to M; 

- apply the expansion permutation to the 32 right bits of TP(M); 

- guess 6 bits of the key (output of the first round key scheduling) and XOR 
it to the corresponding part of the message; 

— those 6 bits will be the input of the S-Box table look-up. 

In the classical attack we consider one bit of the output of the S-Boxes. But 
here, we will just separate the set [0, 63] (6 input bits of the S-Boxes) in two 
optimal subsets by the method explained in the last section. Then, by analyzing 
all the 6 bits guesses, we can determine the single correct guess. Indeed, by 
definition of the subsets, it will be the difference curve with the biggest peak. 

Remarks: 

To realize this attack, we need to know the optimal linear model for the con- 
sumption of the smart-card: in reality, this information is not obtained easily 3 . 
So we have to find an experimental method to determine the consumption model. 
The easiest method is to implement the ’’usual” DPA attack to determine a key 
on one component. Next, to analyze the leaking instruction (in the DPA attack) 
for every possible input; one can do this knowing the message and the key. And 
then the results can be applied to every implementation of crypto-algorithms on 
the same component. 

Even if this example is specific, it highlights under which conditions this at- 
tack could be applied: one has to go through the algorithm with a known message 
until a part of the key is involved and mixed with the message. This situation is 
quite general for secret and public key algorithms, (i.e. AES candidates, RSA, 
ECC ...) 


Such information is considered proprietary by the silicon manufacturers 
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3.3 BPA: Binary Power Analysis 

We will now study another type of attack, the Binary Power Analysis. 


Theory: In many secret key algorithms (like DESX, cellular phone algo- 
rithms...), the ’’whitening” technique is used to increase the size of the key with- 
out modifying the algorithm used or using multiple encryption. The method used 
is the following: before (respectively after) the algorithms core, the message (the 
result) is xored (whitening operation) with a part of the key. 

e.g.: whitening a 8-bit message Mo . . . Afy with a 8-bit key K = Kq . . . K? 

- for(i=0..8) do = M* K t 

- C = Encrypt (M) 

- for(i=0..8) do Ci = Ci © K t 

This method, from a power analysis point of view, prevents a DPA-like sim- 
ulation on the message. Unfortunately, it is quite easy to attack this operation 
by power analysis and then use the usual attack on the algorithm core. This is 
based on the fact that if a bit of the key is 0 the associated bit in the message 
will remain unaltered. 

Here are the BPA attack operations : 

- Obtain n curves {Tk}k= i.. n associated with the messages M k 

- for(i=0..8) do (if there are 8 bytes) 

• for(j=0..8) (8 bits / byte) 

* Separate the curves in 2 subsets according to the bit j of byte i of 
all messages M k 

* Subtract the average of the 2 subsets 

- Process the results to determine the whitening key possibilities 

The last step needs more explanations to understand how the separation is done 
in practice. 


Practical Scenario: The graphic 5 presents the results of the analysis of a 
whitening operation (just one byte). 

In this case, the analysis is quite easy. The XOR operation is executed in 3 
steps: first the input values are loaded, then the xor is executed, lastly the result 
is stored. So, when attacking a special bit, on average the consumption will not 
change when the key bit is 0 and will when the key bit is 1. In this case, we can 
quite easily recover the key byte by comparing the beginning and the end of the 
instruction: K = 00001001 4 

One can find more details about the attack in [C JRR99a] . 


In this 


the second peak of each part is representative of the key bit. 
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Fig. 5. Whitening operation on a low cost component 


3.4 DiPA: Direct Power Analysis 

If the consumption model of a card is well known, some very powerful attacks 
can be set up, avoiding two restriction of DPA like attacks: 

— Why just separate the consumption in only two sets? 

— Why only do an average differential analysis? 

Considering the consumption distribution, it is surely possible to distinguish 
more than two parts in the consumption curves and build more sophisticated 
attacks. For examples, one can construct boolean or linear formulas on key-bits 
or key-bytes like: 

— The i-byte of the key is one of these values... 

— The bit j and k are equal... 

— If bit j and i are different then... 

— bj+bj-|-bfc=2... 

One can then extract some bits of the key by appropriate computation (involving 
boolean solving methods, Grobner basis...). 
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Moreover, if you have a reasonable model for the card, the important point 
is that all these equations can be obtained with separate acquisitions and does 
not involve any averaging or differential. You can extract information on each 
individual computation done by the card. 

For example, with the DES, you can extract a lot of information: you can 
have a very precise idea of the key if you can (and this is possible in reality) 
localize operations during the end phase of the key-scheduling (just before the 
xor preceding the S-box operation) . You obtain 16 sets of boolean equations on 
the 6 bits values of the keys. If the accuracy of the model is good (number of 
subsets in [0, 255] > 8) you can recover the entire key with just one acquisition 
and even without knowing which message is being encrypted. 

3.5 Countermeasures 

In reality, many countermeasures exist to prevent power analysis attacks on the 
smart-card: 

— desynchronisation of the measures: dummy operations, random frequency 
clock...; 

— randomization of the operations: i.e. random permutations; 

— transformations of the data: i.e. public key blinding, Duplication method 
[GP99], masking methods [MesOO, CJRR99b]. 

3.6 Using Previous Results 

We summarize some generals ’’counter-countermeasures” to these countermea- 
sures: 

- Pattern Recognition (to localize interesting instructions from dummy 
operations): it appears that the general power comsumption of an algorithm 
does not change from one acquisition to the other. Moreover it could be that 
every type of instruction (arithmetic, boolean, load and store ...) and every type 
of adressing mode has a particular consumption profile. Hence, it might be pos- 
sible to classify every assembly instruction by its power consumption. Such a 
study has been undertaken with some success. Knowing the instruction profile, 
one could disassemble part of the code or at least retrieve some instruction class. 
Consumption profile helps in synchronising the curves when an external glitch 
is not provided. Last but not least, an attacker could see what type of counter- 
measures have been implemented in the code (use of random parameters). The 
signals are first filtered in order to remove any local noise. Then, the adequate al- 
gorithms (classical matching algorithms) are used to retrieve a given instruction 
in a set of power consumption curves. 

- Synchronizing a randomized clock: a hardware counter-measure a- 
gainst waveform attacks consists in using a random clock. Experimentally, it is 
possible to quite quickly rebuild the synchronous signals from the randomized 
signals. Once again, the signals are processed with an adequate filter in order to 
remove any local variations. As a result, it is easy to recognize (studying the first 
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Instruction: Return 



Fig. 6. Pattern Recognition example 


and second derivate) the clock cycles. Then, according (or not) to a reference 
curve, one can expand or shrink every single clock cycle of a given curve. The 
procedure is then repeated for every clock cycle of the signal. One can then 
re-use normal DPA attacks. 

- Transformations/Masking Methods: we will just present here an 
example. Often in the DES (due to its structure), the card computes randomly 
with the data or with the flipped data (M = M ® 0 xFF..F) to protect the 
card against a bit prediction of the data. But using the PODPA method, we 
can neutralize this countermeasure. Knowing the consumption distribution of 
the component, we proceed as follows: 

— construct the 128 pairs ( x , a;® 255) for x < 128 with its average consumption 
(c(x) + c(x ® 255))/2; 

— order the pairs by consumption; 

— construct two subsets with the 64 lower /higher consumption pairs; 

— proceed a PODPA attack with this distribution. 

This attack will work because it does not distinguish x and x ® 255 for all 
x G [0,255] (there are in the same subset). Moreover, in most components, the 
consumption of these two subsets is quite different (similar to the usual DPA bit 
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selection subsets). For example, this attack is very efficient against the counter- 
measure explained in [MesOO]. It exploits a small leakage when transforming an 
’’arithmetic” mask into a ’’logical” mask. However we want to point out the fact 
that the PODPA attack does not defeat ’’arithmetic” or ’’logical” masks, just 
the transformation from one to the other. 

Unfortunately, DiPA attacks can counteract masking countermeasures men- 
tioned in ([MesOO, CJRR99b]). The reason is the following: in their security 
proof, they are assuming that the information is extracted from several mes- 
sages. But, with our attack some information about the key is extracted from 
each computation and not from the comparison of different acquisitions. 

4 Summary of an Effective Attack 

— Acquire sufficient signals to obtain general information. 

— Apply adequate DSP 5 to determine the type of clock and retrieve the struc- 
ture of the program (rounds, countermeasures ...). 

— By statistical test (variance) check if the execution is deterministic. 

— Obtain sufficient curves of a specific part of the algorithm. 

— Rescale if needed (noise, random clock...). 

— By usual methods extract one key. 

— Use SPA analysis to obtain more information about the card consumption. 

— Now one is able to use PODPA, POSPA or DiPA attacks to ’’easily” break 
the card. 

— One can directly attack other algorithms using the same card model! 

5 Conclusions 

We have shown that there are several potential attack scenarios which need to 
be further explored. These attacks require a more detailed study of the com- 
ponent than a classical DPA. A better knowledge of the behaviour of the chip 
enables to conduct powerful attacks even with little knowledge of the algorithm 
implementation. 
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Abstract. We investigate several alternate characterizations of pseudo- 
random functions (PRFs) and pseudorandom permutations (PRPs) in 
a concrete security setting. By analyzing the concrete complexity of the 
reductions between the standard notions and the alternate ones, we show 
that the latter, while equivalent under polynomial-time reductions, are 
weaker in the concrete security sense. With these alternate notions, we 
argue that it is possible to get better concrete security bounds for certain 
PRF /PRP-based schemes. As an example, we show how using an alter- 
nate characterization of a PRF could result in tighter security bounds for 
some types of message authentication codes. We also use this method to 
give a simple concrete security analysis of the counter mode of encryp- 
tion. In addition, our results provide some insight into how injectivity 
impacts pseudorandomness. 

1 Introduction 

Pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) are 
extremely useful and widely used tools in cryptographic protocol design, partic- 
ularly in the setting of private-key cryptography. In this paper, we study several 
different notions of security for these objects. Specifically, we study these notions 
in a concrete security framework, and we show how different characterizations 
may be used to derive better security bounds for some commonly used private- 
key cryptographic protocols. 

1.1 Descriptions of Notions 

The notion of a PRF family was proposed by Goldreich, Goldwasser and Micali 
[8] . In such a family, each function is specified by a short key, and can be easily 
computed given the key. Yet it has the property that telling apart a function 
sampled from the PRF family and one from a random function family, given 
adaptive access to the function as a black-box, is computationally infeasible (for 
someone who does not know the key). This is the standard notion of a PRF, 
and (to distinguish it from alternate notions) we refer to it in this paper as the 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 503-516, 2000. 
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PRF notion. Luby and Rackoff extended the above to permutation families by 
introducing the notion of a PRP family [11]. The reference family for defining 
the security of a PRP family can be that of random functions, as in [11], or that 
of random permutations, a practice started by Bellare, Kilian and Rogaway [5]. 
We adopt the definition of [5] and refer to it here as the PRP notion. 

Alternate characterizations. PRFs may be characterized in several ways 
other than the standard notion. We are particularly interested in one way sug- 
gested in the very paper that introduced the standard notion [8] . This alternate 
notion can be described informally through the following interactive protocol: 
a distinguisher who is given adaptive oracle access to the function obtains the 
output of the function on some points of its choice through oracle queries. It then 
outputs a point that has not yet been queried and gets back, based on a hidden 
coin flip, either the output of the function on that point or a uniformly dis- 
tributed point in the range of the function. It should be computationally infeasi- 
ble for the distinguisher to guess which of the two possibilities it was presented. 
We call this notion indistinguishable-uniform functions or IUF, to distinguish it 
from the standard notion PRF. A similar notion may be defined for permutation 
families, and we call this IUP for indistinguishable-uniform permutations. 

We also consider another notion that is normally associated with the secu- 
rity of encryption schemes. In this notion too, the distinguisher is given adaptive 
oracle access to the function. It then outputs two new points and, based on a 
hidden coin flip, is presented with the output of the function on one of them. 
We require that a computationally-restricted distinguisher have negligible suc- 
cess in telling apart the two cases. In this paper, we refer to this notion as IPF, 
for indistinguishable-point functions. We show that this notion does not imply 
pseudorandomness for functions. However, when we consider the analogous no- 
tion for permutations, which we call IPP (indistinguishable-point permutations), 
we find that pseudorandomness is captured. 

1.2 Concrete Security and Reductions Among the Notions 

Making a break from the traditional approach of presenting PRF families in an 
asymptotic way, Bellare, Kilian and Rogaway began the practice of explicitly 
specifying the resources determining security and paying particular attention 
to the quality of security reductions [5]. This approach forms the basis of con- 
crete security analysis and has been used in many subsequent works [4,2,3]. One 
benefit of this approach is that it enables the comparison (and classification as 
weaker or stronger) of polynomially-equivalent notions in cryptography. Paying 
attention to the concrete complexity of reductions between notions is impor- 
tant in practice, as inefficient reductions translate to a penalty either in security 
assurance or in running time. 

Reductions Among the Notions. Under polynomial-time reductions, the 
equivalence between the notions of PRF and IUF has been established by Gol- 
dreich et al [8]. (In fact, the concrete security bounds we derive in our reductions 
between these notions are implicit in theirs.) We establish that our reductions 
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pseudorandom function 


pseudorandom permutation 


indistinguishable-uniform function indistinguishable-uniform permutation 


indistinguishable-point function indistinguishable-point permutation 


Fig. 1. Relating the notions. A solid arrow from notion A to notion B means that 
there is a security-preserving reduction from A to B. A broken arrow indicates 
a reduction that is not security-preserving. The arrows are labeled by the loss- 
factor of the reduction. A hatched arrow means that there is no polynomial-time 
reduction. 


are tight. Additionally, we relate the notions of PRP and I UP. The reductions 
between these two permutation notions are the same as those between the cor- 
responding notions for functions. 

Furthermore, we show that IUP and IPP are equivalent, up to a small constant 
factor in the reduction. However, as mentioned above, a different picture emerges 
when we look at the corresponding notions for functions. It turns out that IPF 
and IUF (or PRF) are not equivalent, even in just an asymptotic sense. We show 
that IPF is a strictly weaker notion, in that there are function families which are 
secure in the IPF sense, but completely insecure in the IUF sense. A summary of 
the reductions is given in Figure 1. 

1.3 Motivation: Tighter Security Analyses 

Our demonstration that the alternate notions we consider here are weaker in 
the concrete security sense than the standard notions might be seen as an ar- 
gument against using any of them. Yet we will recommend their use in certain 
circumstances (to complement, rather than replace the standard notions). 

In a concrete security analysis of a protocol which is based on a particular 
primitive, the security of the protocol is related to that of the underlying prim- 
itive in a precise way. If we know the concrete security of a protocol in terms of 
the security of the underlying primitive under one notion, it is easy to translate 
this to the security of the protocol in terms of the security of the primitive un- 
der a weaker notion. We simply use the appropriate security reduction between 
the notions. We then see a drop in the translated security, reflecting the gap 
in the reduction between the notions. However, we show that it is sometimes 
possible to directly reduce the security of the protocol to that of the underlying 
primitive under a weaker notion without the expected drop in security. Such 
a situation exists when the weaker notion somehow “meshes” better with the 
notion of security for the protocol. 
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We make the above discussion more concrete with two examples: message 
authentication codes and symmetric encryption schemes. The security of (de- 
terministic) message authentication codes (MACs) is captured by the notion of 
unpredictable functions [10,1,12]. In the context of MACs, this means that an 
adversary who is given valid MACs on some messages of its choice will be un- 
likely to succeed in outputting a “new” message (that is, one different from those 
whose MACs it was been given) along with a valid MAC on that message. It is 
well-known that any PRF is unpredictable (i.e. a secure MAC) [8]. Moreover, 
the reduction from unpredictable functions to PRFs is almost tight [5]. We show 
that using a direct reduction from unpredictable functions to IUF, one can obtain 
exactly the same bounds. This represents a tightening of the analysis, as we 
expect security of a PRF in the IUF sense to be smaller than the security in the 
standard PRF sense. (Our reductions show that the security in the IUF sense will 
never be more than a constant factor of 2 greater than the security in the PRF 
sense and will typically be a quantitative factor less.) 

Now let us examine in what sense IUF “meshes” better with the notion of 
unpredictable functions. The quantitative drop in security in the reduction from 
PRF to IUF can be traced to the fact that under IUF the distinguisher must decide 
given one challenge whereas, under PRF, every response to a query potentially 
constitutes a “challenge”. Like IUF, the notion of unpredictable functions also has 
a single distinguished challenge. In the reduction to PRF, however, we cannot 
really take any advantage of the source of the strength of this notion, and hence 
the bounds derived are not as tight as what could be achieved otherwise. 

Another example of a notion with a distinguished challenge phase is the stan- 
dard indistinguishability of encryptions notion of security for encryption schemes 
[9,3]. Here again, using the notion of IUF instead of the standard PRF, we can 
hope to tighten analysis of PRF-based encryption schemes. We do this for the 
counter mode of encryption. 


1.4 Related Work 

We have already mentioned the foundational work on PRFs and PRPs [8,11] 
and the concrete security analysis of these objects [5,4]. Our approach in this 
work follows that of Bellare et al [3], who compared and classified notions of 
security for symmetric encryption schemes according to the concrete complex- 
ity of reductions. A concrete security analysis of various symmetric encryption 
schemes, including the counter mode, is given in that paper. Naor and Reingold 
have explored the relationship between unpredictable functions and PRFs under 
different attack models [12]. 

2 Definitions and Notation 


We describe different notions of security for (finite) function families in this 
section. A function family is a keyed multi-set F of functions where all functions 
have the same domain and range. To pick a function / from family F means to 
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pick a key a, uniformly from key space Keys(F) of F, and let / = F a . A family F 
has input length l and output length L if each / e F maps {0, 1} ; to {0, 1} L . 

We let Ri t L denote the function family consisting of all functions with input 
length l and output length L. Similarly, we let Pi denote the set of all permuta- 
tions on Z-bit strings. 

A function family F is pseudorandom if the input-output behavior of F a is 
indistinguishable from the behavior of a random function of the same domain 
and range. This is formalized via the notion of statistical tests of Goldreich et 
al [8]. Our concrete security formalizations follow those of Bellare et al [5]. 

We first informally describe the two additional notions (IUF and IPF) for 
function families considered in this paper. The corresponding notions for per- 
mutation families (IUP and IPP) are analogous to these, and so we skip their 
description. At the end of this section, we formally define all these notions (for 
both function and permutation families). 

Indistinguishable- Uniform Functions. This is an adaptation of a notion 
given by Goldreich et al [8]. The idea is that a distinguisher should not be able 
to distinguish the output of the PRF from a uniformly distributed value in the 
range of the function. The formalization considers two different experiments. In 
both experiments we start by choosing a random key a <— Keys(F), specifying 
a function F a . In the first phase, the distinguisher is given an oracle for F a and 
allowed to query this oracle on points of its choice. It then outputs a point x that 
has not been queried yet and some state information s that it may want to pre- 
serve for use during the second phase. In one experiment, it receives in response 
the value F a (x). In the other experiment, it receives a uniformly distributed value 
in the range of F. The PRF family is “good” if no “reasonable” distinguisher 
can obtain significant advantage in distinguishing the two experiments. 

Indistinguishable-Point Functions. This is an adaptation of the indis- 
tinguishability of encryptions notion of security for encryption schemes. Here 
again we imagine a distinguisher A that runs in two phases. In the find phase, 
given adaptive access to an oracle for the function, it comes up with a pair of 
points Xo,x\ that it has not queried yet and some state information s. In the 
guess phase, given the output of the function y on one of these points and s, it 
must identify which of the two points goes with y. 

It is interesting that the notion IPP does capture pseudorandomness for per- 
mutation families. For most other primitives, we find that an indistinguishable- 
point-based characterization is weaker than an indistinguishable-uniform-based 
characterization. This is true for encryption schemes and turns out to be true 
for function families, as well. Observe that, for encryption schemes, we are usu- 
ally concerned with this weaker characterization, because it captures the desired 
security requirements. 

Formal Definitions. For each of the six notions we consider in this paper, we 
give definitions using the experiments defined in Figure 2. First, we consider the 
function family notions: PRF, IUF, and IPF. 
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PRF: Exp £ rf (A,6) 

PRP: Exp PRP (A, b) 

a <- Keys(F) 

a <- Keys(F) 

O 0 ^F a -,Oi <— Ri, l 

O 0 ^F a -Oi <- Pi 

d^A°» 

d <— A° b 

return d 

return d 

IUF: Exp™ F (A,&) 

IUP: Exp 1 ™ 5 (A, 5) 

a <- Keys(F) 

a <- Keys(F) 

(x,s) <— A Fa (find)* 

(x, s) <— A F “(find) t 

yo <— F a (x);yi {0, 1} L 

yo <- F a (x);yi {0, 1}* 

d <— A(guess, y b , s) 

d <— A(guess, y b , s) 

return d 

return d 

f x not queried to F„ 

f x not queried to F„ 

IPF: Exp^ F (A, b) 

IPP: Exp IPP (A,&) 

a <- Keys(F) 

a <- Keys(F) 

(*o,a:i, s) <— A Fa (find) t 

(*o, xi, s) <— A Fa (find) t 

y <- F„(x b ) 

y <- F a {x b ) 

d *— A(guess, y, s) 

d <- A(guess, y, s) 

return d 

return d 

f xo,xi not queried to F„ 

f xo,xi not queried to F a 


Fig. 2. Experiments defining each of the notions considered in this paper. 


Definition 1. For each notion N e {PRF, IUF, IPF}, let F: Keys (F) x {0, 1}* —* 
{0, 1} L be a finite function family. For an adversary A and b = 0, 1 define the 
experiment Exp^.(A, b), as given in Figure 2. Define the advantage of A and the 
advantage function of F, respectfully, as follows. For any integers t,q> 0, 

Adv^(A) = Pr[Exp£(A,0) =0] - Pr[Exp£(A, 1) =0] 

Adv^(t, q) = max (Adv^(A) } 

where the maximum is over all A with time complexity t, making < q queries. | 

Here the “time-complexity” is the worst-case total execution time of the exper- 
iment, plus the size of the code of the adversary, in some fixed RAM model of 
computation. This convention is used for all definitions in this paper. 

Next, we turn our attention to the definitions for the corresponding permutation 
family notions: PRP, IUP, and IPP. 


Definition 2. For each notion N € {PRP, IUP, IPP}, let F: Keys(F) x {0, 1}* — > 
{0, 1}* be a finite permutation family. For an adversary A and b = 0,1 define 
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the experiment Exp^(A, b), as given in Figure 2. Define the advantage of A and 
the advantage function of F, respectfully, as follows. For any integers t,q> 0, 

Adv^(A) = Pr[Exp£(A,0) =0] -Pr[Exp£(A,l) =0] 

Adv^(t, q) = max (Adv^(A) } 

where the maximum is over all A with time complexity t, making < q queries. | 

3 Reductions Among the Notions 

In this section, we formally state the relations shown in Figure 1. The proofs for 
these results are given in the full version of this paper [7] . 

We use the notation A => B to indicate a security-preserving reduction from 
notion A to notion B. A — > B indicates a reduction (not necessarily security- 
preserving) from A to B. A B and A -f+ B are the natural interpretations 
given the above. This convention is followed for all reductions given in this paper. 

3.1 Function Family Notions 

The first theorem says that if a function family has certain security in the stan- 
dard PRF sense, then it has essentially the same security in the IUF sense. 

Theorem 1. [PRF => IUF] For any function family F and integers t,q> 1, 
Adv^ F (t, q) < 2 • Adv^ RF (t', q) 
where t' = t + 0(1 + L) . | 

Our next theorem says that if a function family is secure in the IUF sense, then 
it is also secure in the PRF sense, but the security is quantitatively lower. 

Theorem 2. [IUF — > PRF] For any function family F and integers t, q > 1, 
Adv RRF (f, q)<q- Adv^f', q) 
where t' = t + 0(1 + L) . | 

The following proposition establishes that the drop in security in the previous 
theorem was not due to any weakness of our reduction but is, in fact, intrinsic 
to the notions. We give a concrete example of a function family that has higher 
security in the PRF sense, with a gap of the same order as in Theorem 2. 

Proposition 1. [IUF PRF] There exists a function family F such that 
Ad v P F RF (t,q) > ^ and Adv™ F (t,q) < 1 
for any integers t > 1 and 1 < q < 2 L ~ 1 . \ 
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Our next two results demonstrate that the IPF notion is weaker than the other 
two notions we have considered, and hence does not capture pseudorandomness. 
Theorem 3. [IUF => IPF] For any function family F and integers t,q> 1, 
Adv^ F (t, q) < 2 • Adv^^t', q) 
where t' = t + 0(1 + L) . \ 

Proposition 2. [IPF IUF] There exists a function family F such that, 

Ad v5F(t,g) > 1 - 2~ qL and Adv I / F (t,gJ = 0 
for any integers t,q> 1 . I 

3.2 Permutation Family Notions 

We first give the reductions between PRP and IUP. Our next three claims show 
that the security bounds we had derived between the notions for function families 
also hold between the corresponding notions for permutation families. 
Theorem 4. [PRP => IUP] For any permutation family F and integers t,q> 1, 
Advjy p (t, q) < 2 • Adv^ RP (t', q) 

where t' = t + 0(1 ) . | 

Theorem 5. [IUP — > PRP] For any permutation family F and integers t,q> 1, 
Adv™ p (f, q)<q- Adv™ p (f q) 

where t' = t + 0(1) . I 

Proposition 3. [IUP ^4- PRP] There exists a permutation family F such that 
Adv™ p (t,g) > ^ and Adv^^t,#) < - 
for any integers t> 1 and 1 < q < 2 L ~ 1 . \ 

Next, we establish that IUP and IPP are of essentially equivalent strength. Note 
that this is a departure from the relationship that exists between the correspond- 
ing function family notions. 

Theorem 6. [IUP =>■ IPP] For any permutation family F and integers t,q> 1, 
Ad v% P {t,q) < 2- Ad \/ l F P (t',q) 

where t' = t + 0(1) . | 

Theorem 7. [IPP => IUP] For any permutation family F and integers t,q> 1, 
Adv^ p (t,q) < Adv I / p (t , ,q) 


where t' = t + 0(1) . I 
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4 Applications 

Here, we give some motivation for the use of the IUF characterization of PRF 
families. As discussed in Section 1, use of this notion gives tighter security bounds 
for certain cryptographic protocols. We give two such examples in this section. 

4.1 The Case of Message Authentication Codes 

A message authentication code (MAC) enables two parties who share a secret key 
to authenticate their transmissions. To be secure, MACs must resist existential 
forgery under chosen-message attacks [10,5]. For deterministic MACs, this notion 
matches that of unpredictable functions (UPF) [1,12]. 

Formally, the notion is captured by allowing a distinguisher A to query a 
MAC oracle, F a , where F is a function family and a is a random MAC key. 
A must then output a point x that has not been queried yet, along with its 
prediction y for the value of F a (x). 

Definition 3. [Message authentication security: UPF] Let F: Keys(F)x{0, 1}' — > 
{0, 1} L be a MAC. For an adversary A define the following experiment: 

Experiment Exp^ PF (A) 

a <— Keys(F); (x,y) <— A Fa //where x is a point that A has not queried 
If y = F a (x) then d <— 0 else d.*— 1; Return d. 

Define the advantage of A and the advantage function of F, respectfully, as 
follows. For any integers t,q> 0, 

Ad V u pF (A) = Pr[ExpU pF (A) = 0] 

Adv£ PF (f, q) = max (Adv£ PF (A) } 

where the maximum is over all A with time complexity t, making < q queries. | 

PRF families are more well-studied than unpredictable function families and, 
moreover, are widely available. Hence, the observation that a PRF family con- 
stitutes a secure MAC [8] has proven very useful in practice. The following exact 
security reduction is already known [5]. 

Proposition 4. [PRF => UPF] For any function family F and integers t,q> 1, 
Adv^ PF (f, q) < Ad v™ F (t , ,g) + 2~ L 
where t' = t + 0(1 + L) . | 

The reduction is almost tight. Consider now translating the above, to get security 
as a MAC in terms of the security as a PRF family in the IUF sense. Using 
Theorem 2 will lead to a drop in security by a factor q. However, by applying a 
direct reduction, we avoid this expected loss. 
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Proposition 5. [IUF => UPF] For any function family F and integers t,q> 1, 
Ad v% PF (t,q) < Adv I J }F (t / ,q) + 2~ L 
where t' = t + 0(1 + L). 

Proof. The reduction is standard. Let A be a forger attacking the MAC F, 
making at most q oracle queries and running in time at most t, in the experi- 
ment Exp PPF (A). We construct a distinguisher A! , making at most q queries and 
running in time at most t', using the forger A as a subroutine. 

Let Of be A'"s oracle. A'°? will run A using Of to provide an appropriate 
simulation of A’s oracle, as indicated below. 

Algorithm A’°f 

(1) Run A, answering any query u with Of(u). 

(2) Let (x, y) <— A. 

(3) Output ( x , y) and receive y' as the challenge. 

(4) If y' = y then output 0, else output 1. 

For simplicity, we assume that A makes exactly q queries in Exp PPF (A). It is easy 
to check that the time and query complexity are as claimed. Next, we compute 
the advantage of A'. 

Adv I F UF (A / ) =Pr[Exp I F UF (A , ,0) =0] -Pr[Exp I F UF (A , ,l) =0] 

= Pr[ Exp£ PF (A) = 0] - 2~ l = Adv£ PF (A) - 2~ L 
Given that A was any arbitrary forger, the claimed relation follows. | 

We say that Proposition 5 represents a tightening of the security bounds given 
in Proposition 4 since, from Theorems 1 and 2, we know that Adv PJF (t', q) is at 
most 2 • Adv™ F (f', q) and can be as small as | • Adv™ F (t / , q). 

4.2 The Case of Symmetric Encryption Schemes 

In the following discussion, we use the standard syntax and notion of security 
for encryption schemes given by Bellare et al [3], which is an adaptation of one 
given by Goldwasser and Micali [9]. In the indistinguishability of encryptions un- 
der chosen-plaintext attack (IND) notion, the adversary A is imagined to run in 
two phases. In the find phase, given adaptive access to an encryption oracle, A 
produces a pair of equal- length messages xq,x\, along with some state informa- 
tion s. In the guess phase, given the encryption y of one of the messages and s, 
it must identify which of the two messages goes with y. 

Definition 4. [Symmetric encryption security: IND] Let II = (JC,£,D) be an 
encryption scheme. For an adversary A and b = 0, 1 define the experiment: 

Experiment Exp™ D (A, b) 

a <— 1C; (xq,xi,s) <— A £ °(find); y <— £ a (xb); d <— A £a (guess, y, s); Return d. 
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It is mandated that |xo| = \xi\ above. Define the advantage of A and the advan- 
tage function of II, respectfully, as follows. For any integers t,q,p> 0, 

Adv™°(A) = Pr[ Exp™ D (A, 0) = 0 ] - Pr[ Exp™ D (A, 1) = 0 ] 
Advjf^f, q, p) = max (Adv^ D (A) } 


where the maximum is over all A with time complexity t, making < q oracle 
queries which total < p bits. | 


We analyze the counter mode of encryption based on a finite PRF. In practice, 
the finite PRF may be instantiated by a block cipher. For a finite PRF F, the 
counter mode CTR(F) = (£-CTR, D-CTR, /C-CTR) can be described as follows. 
The key generation algorithm /C-CTR outputs a random key a for the underlying 
PRF family F, thereby specifying a function / = F a of /-bits to L-bits. The 
sender maintains a l bit counter ctr that is initially —1 and is incremented 
after each encryption by the number of blocks encrypted. The message x to 
be encrypted is regarded as a sequence of L-bit blocks (padding is done first, 
if necessary), x = x\ • • ■ x n . We define £-CTR a (x, ctr) = 5-CTR Fa (x, ctr) and 
D-CTR a (z) = D-CTR Fa (z), where: 


Algorithm £-CTR^(a;, ctr) 
for i = 1, . . . , n do 

Ui = f(ctr + i)@Xi 
ctr <— ctr + n 
return (ctr, t/it /2 • • • y n ) 


Algorithm D-CTR f (z) 
Parse z as ctr , y\ ■ ■ ■ y n 

for i = I rt do 

Xi = f(ctr + i)®yi 
return x = x\ ■ ■ ■ x n 


We show that CTR(F) is secure in the IND sense if F is secure in the IUF sense. 
As with our previous example, the reduction achieves the same concrete security 
bounds as those possible using the standard notion of PRF families. 


Theorem 8. [Security of CTR using an IUF function family] For any 

function family F and integers t,q> 1 and L < p < L2 l , 

AdvJJ^p.) (t, q, p) < 2 • Advjy F (t', q') 
where t' = t + 0(^(1 + L)) and q' = i f. 

Proof. We want to show that if CTR(F) is not secure in the IND sense, then it 
must be the case that F is not secure in the IUF sense. Let A be an adversary 
attacking the CTR(F), running in time at most t and making at most q oracle 
queries, these totalling at most p bits, in the experiment Exp^j*^^ (A). We 
construct a distinguisher A', making at most q' queries and running in time at 
most t' , using the adversary A as a subroutine. 

Let Of be A ,! s oracle. A'°f will run A using Of to provide an appropriate 
simulation of A’s encryption oracle. We assume, for the sake of simplicity of the 
exposition, that the two messages A outputs at the end of its first phase are 
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exactly L bits in length (i.e. of the size of one block). In the following, /ic < H, 
is the amount of ciphertext A needs to see in its guess phase. 

Algorithm A'°f 

(1) Initialize counter: ctr < 1. 

(2) Run A(find), answering any query u with £-CTR° f (u). 

(3) Let (a;o,a:i,s) <— A(find). 

(4) Let the current value of the counter be ctro- 

(5) Compute T = {Of (ctro — ?) : 1 < f < 

(6) Let s' = (s,xo,xi, ctro,tF). 

(7) Output (ctro, s') and receive y as the challenge. 

(8) Let d <- {0, 1}. 

(9) Run A(guess, y®Xd, s), answering any query u, using T, with £-CTR(it). 

(10) Let d! <— A(guess, y®Xd, s). 

(11) If d = d' then output 0, else output 1. 

In the reduction above, A' maintains the counter ctr , incrementing it appropri- 
ately. It is important here that A! can implement £-CTR^(-, ctr) given an oracle 
for /. At the end of the find phase queries of A, it picks the current value of 
counter ctro to be the output of its own find phase, along with the state infor- 
mation. A slight problem that comes up here is that A' does not have access 
to Of in its guess phase but it will still need to provide a simulation of the 
encryption oracle during A’s guess phase queries. We get around this by hav- 
ing A' pre-compute the value of Of on as many points as necessary, starting 
from ctro + 1, to answer all of A’s guess phase encryption oracle queries. These 
pre-computed values are in the set T which is passed to A ,! s guess phase via 
state information s. Note that it is important that A' did not query Of with 
ctro, since otherwise it could not output ctro as the point on which it gets its 
challenge. The counter mode guarantees that, as long as fewer than £ queries 
are made (i.e the counter does not loop around), the function will always be 
invoked on a new point. 

The total number of oracle queries made by A! is at most which by assumption 
is q' . Given this, one can check that the running time of A! is as claimed. The 
advantage of A! is given by, 

Adv I F UF (A / ) = Pr[Exp I F UF (A , ,0) = 0] - Pr[ Exp^A', 1) = 0] 

= Pr [ Exp£^( F ) (A, 0) = 0 ] + Pr[ Exp£^( F ) (A, 1) = 1 ] — - 

= 2O - + AcIv ctr(f)(^)) _ 2 = 2 AcIv ctr(- f ’) ( A ) 


Given that A is an arbitrary adversary, the claimed relation follows. 
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5 Discussion 

We stress that the benefits of tighter security analyses, such as those we have 
presented here, are real. For example, using the standard notion of a PRF, the 
security of a protocol may appear to be marginal, prompting the use of a larger 
security parameter. However, using a tighter characterization, such as IUF, the 
security might have been determined to be adequate. 

In criticism to our approach to getting tighter bounds for MACs and sym- 
metric encryption schemes, one may suggest that we are looking at the wrong 
notions of security for these protocols. Indeed, there are alternate notions for 
which our gains would disappear. However, the notions of security we consider 
for both MACs and symmetric encryption are, in practice, the notions which are 
most widely used. 

Future Directions. Unlike the case with the counter mode of encryption, in 
our first example we view the entire MAC as being the primitive, when in fact 
it too may be built on a PRF (for example, the CBC-MAC based on a block 
cipher). While it seems unlikely that we can achieve a tighter security analysis 
for the CBC-MAC scheme using the same approach, it may be possible for other 
message authentication schemes. Then there are other schemes, besides those for 
message authentication and symmetric encryption, to which our techniques could 
be applied. For example, it may be possible to improve the security bounds of 
variable-length input pseudorandom functions (VI-PRFs) [2] and variable-input- 
length ciphers [6]. 

Using similar techniques as above, we can also get tighter bounds for PRP- 
based protocols. In a sense, this is more interesting, given that PRP families 
provide a more natural model for block ciphers [5] . Viewing a block cipher as a 
PRP family rather than a PRF family itself can lead to tighter security bounds. 
However, our examples were motivated by the fact that analysis of a block- 
cipher-based scheme is, as far as possible, done modeling the block cipher as a 
PRF. This is because the analysis using PRFs is usually significantly simpler. 

We remark that it seems somewhat significant that, in the indistinguishability 
of points characterization, there is a difference between function and permutation 
families. This seems to be the first such distinction, as far as we know, when 
asymptotic measures are used. It may be interesting to investigate further the 
impact of injectivity upon pseudorandomness. 
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Abstract. This paper takes a closer look at Rivest’s chaffing-and-winnowing 
paradigm for data privacy. We begin with a definition which enables one to clearly 
determine whether a given scheme qualifies as “chaffing-and-winnowing.” We 
then analyze Rivest’s schemes to see what quality of data privacy they provide. 

His bit-by-bit scheme is easily proven secure but is inefficient. His more efficient 
scheme — based on all-or-nothing transforms (AONTs) — can be attacked under 
Rivest’s definition of security of an AONT, and even under stronger notions does 
not appear provable. However we show that by using OAEP as the AONT one 
can prove security, and also present a different scheme, still using AONTs, that is 
equally efficient and easily proven secure even under a relatively weak notion of 
security of AONTs. 

1 Introduction 

Rivest presents a number of methods to achieve data privacy based on a paradigm he 
calls “chaffing and winnowing” [11], In this paper we provide a definition of chaffing 
and winnowing; assess whether the schemes of [11] can be proven to meet standard 
data-privacy goals, and, if so, under what kinds of assumptions on the underlying prim- 
itives; and suggest more efficient schemes and analyze their security. Let us first provide 
some background and motivation, and see what are the basic questions. Then we discuss 
our contributions in more detail. 

1.1 Background, Motivation, and Questions 

Chaffing and winnowing uses a message authentication code (MAC) to provide pri- 
vacy. However Rivest notes that in order to have privacy the MAC must be a pseudo- 
random function. (Any PRF is a good MAC [9,3] but not vice-versa.) Of course, there 
are many well-known ways to use a PRF to provide privacy; the interest of chaffing 
and winnowing arises from the particular manner in which the MAC is used, which 
is roughly the following. Each data block is authenticated so that one has a sequence 
of data-MAC pairs. Then “chaff” is interspaced, this consisting of pairs, each being a 
block with a random tag. The receiver can discard blocks with invalid tags — this is 
called “winnowing” — thereby recovering the data. (Within this framework, many spe- 
cific methods are possible.) Privacy requires that it be computationally infeasible for an 
adversary to tell valid MACs from random tags. (But is also very sensitive to the manner 
in which chaff is interspaced.) Rivest argues that the use of the MAC here stays within 
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its functionality as an authentication mechanism, and thereby makes moot a policy that 
restricts “encryption” while allowing authentication. 

Chaffing-and- winnowing has received a lot of attention on the political front, but lit- 
tle on the technical front barring that in the initial paper. It merits more serious attention 
from cryptographers. One is that a better technical understanding leads to a better un- 
derstanding of the implications for the debate on cryptographic policy. Another reason 
is foundational. As Rivest notes in introducing his idea, there are very few paradigms 
for cryptography’s main goal, namely data privacy. A new paradigm such as the one he 
presents should be explored in order to assess its potential. 

The description and examples in [1 1] suffice to get the gist of the idea, but as we 
consider more complex mechanisms it is sometimes difficult to decide whether they 
obey the “rules of the game.” A definition is needed to settle such questions, and also 
for rigorous security analysis. Accordingly, we begin there. 

Chaffing and winnowing purports to provide data-privacy. A basic question is about 
the quality of privacy that it can provide. Specifically we want to know how it compares 
to standard mechanisms such as modes of operation of a block cipher, which have been 
proven to meet strong, well-defined notions of privacy under appropriate assumptions 
[2] . Can chaffing-and- winnowing based schemes provide the same level of privacy, and, 
if so, can this be proven, and under what assumptions? 

1.2 Defining Chaffing and Winnowing 

The security goal of a chaffing-and-winnowing scheme is to provide privacy in a sym- 
metric setting. Accordingly, from the security point of view, it is — in fact, must be — 
treated simply as a symmetric encryption scheme. There is some “encryption” process 
that takes a message and creates a “ciphertext”, and some “decryption” process that 
takes the ciphertext and recovers the message, both operating under a common secret 
key. (This is the key for the MAC.) These processes are not implemented in “usual” 
ways, but, abstractly, they must exist, else it is moot to talk of achieving privacy. Once 
this is understood, security can be measured using any of several well-known notions in 
the literature. (We adopt the simplest, namely the “find-then-guess” notion of [2], which 
is the most direct extension to the symmetric case of the notion of indistinguishability 
of [10].) 

Thus what defines chaffing and winnowing as a “notion” is not some novel secu- 
rity property but rather a novel set of restrictions on the processes (namely encryption 
and decryption) directed at achieving a standard security property (namely data pri- 
vacy). The crux of the definition is to pin down these restrictions. We view a chaffing- 
and-winnowing based encryption scheme as arising by the use of an authentication to 
privacy transform (ATPT) over a MAC-based authentication channel. 

The channel captures the manner in which the parties have access to the MAC func- 
tion MAC(iT, •). An application on the sender side can pass data down to be MACed, 
thereby creating a packet (data-MAC pair) which is transmitted over the channel. (The 
application has no direct access to the MAC (K, •) function let alone to the underlying 
key K.) At the receiving end, packets with invalid MACs are dropped and the data 
from valid packets is passed up to the receiving application. (The latter sees no MACs 
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and does not even know of the existence of the dropped packets.) See Figure 1 and 
Definition 4. 

The ATPT consists of three algorithms whose important feature is that they are all 
entirely keyless. The sending application applies a MakeWheat algorithm to the plain- 
text to turn it into a sequence of data blocks to be passed to the authentication channel. 
An AddChaff procedure is responsible for interspacing chaff packets into the stream 
of valid packets output by the authentication channel. Finally the receiving application 
applies a Recover algorithm to the received data blocks to get back the plaintext. See 
Definition 5. 

We stress again that the algorithms in the ATPT are keyless, so that on their own they 
cannot be used to provide privacy. The chaff and winnow based encryption scheme is 
realized by coupling these algorithms with the authentication channel. This is illustrated 
in Figure 2. 

The definition (provided in Section 3) can help clarify the contribution of chaffing 
and winnowing to the debate on cryptographic policy by providing a means to evaluate 
whether a particular method qualifies as “legal encryption based on authentication.” If 
one scheme meeting the definition qualifies, so do the rest, even if their implementation 
is more complex. 

1.3 Security of Rivest’s Schemes 

Rivest notes that his first few examples will not provide a high level of privacy. (In 
particular they will not meet a notion of privacy such as find-then-guess.) The first 
serious candidate is the bit-by-bit scheme. 

Bit-by-bit scheme. Here the MakeWheat procedure splits the plaintext into bits and 
appends a counter or nonce to each bit. These data blocks are MACed. The AddChaff 
procedure inserts, for every valid packet, an invalid packet with the opposite bit value 
and an appended nonce, together with a random value for the tag. We prove that this 
scheme provides privacy in the find-then-guess sense assuming the MAC is a pseudo- 
random function. The concrete security analysis is provided in Theorem 1 . 

This indicates that chaffing and winnowing can provide privacy of as high a quality 
as standard encryption schemes, and furthermore with provable guarantees based on the 
same assumption — namely a pseudorandom function — used to prove the security of 
popular block cipher modes of operation [2] . There is however a high cost in bandwidth: 
two nonces and two tags are needed per bit of plaintext. 

Scattering schemes. In order to reduce the bandwidth, Rivest suggests an alter- 
native paradigm. First apply an all-or-nothing transform (AONT) [12] to the plaintext. 
(This is a keyless, invertible transform with the property that inversion is hard if any 
block of the output is missing.) Each block of the output of the AONT is MACed, re- 
sulting in a stream of valid packets. Then s' chaff packets are inserted into random 
positions in this stream. Intuitively, an adversary must guess the positions of all s' chaff 
packets in order to decipher. (Accordingly it is suggested that security will be provided 
for a value of s' that does not depend on the length of the plaintext, eg. s' = 128, so 
this method is cost-effective for long plaintexts.) Upon closer examination, however, 
the security provided by this paradigm is unclear. We note first that under the original 
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definition of an AONT provided in [12] the scheme is insecure. (We show that there are 
example AONTs that meet the definition of [12] but for which there are attacks com- 
promising the privacy of the chaffing-and- winnowing scheme.) It is natural to then try 
to use Boyko’s stronger definition of security for an AONT [6], In that case the anal- 
ysis is inconclusive: the stronger property of an AONT still does not appear to suffice 
to prove security of the chaffing-and -winnowing scheme, but neither do we exhibit a 
counter-example that confirms this. We would prefer a provably-secure scheme. 
Scattering with OAEP. The above-mentioned analyses indicate that in general an 
AONT seems neither necessary nor sufficient as the initial transform to provide privacy 
of the scattering based chaffing-and- winnowing scheme. We show however that if the 
OAEP transform of [5] is used as the AONT, then privacy can be proved. (This, like all 
security proofs involving OAEP, is in a random oracle model [4]). The concrete security 
analysis provided in Theorem 2 supports the intuition regarding the scattering scheme 
provided in [11] — the probability of breaking the scheme is inversely proportional to 
( s + s ) where s is the number of blocks in the output of OAEP and s' is the number of 
chaffblocks. 

Note that OAEP has been shown to be a secure AONT [6], but given the above we 
cannot exploit this here. Instead, our proof is direct, based on techniques from [5,6]. It 
is an open question whether other specific constructions of AONTs such as that of [7] 
suffice to prove security of the scheme. 

1.4 New Schemes 

We point out that there is an alternative to the scattering scheme that is simpler, can 
be proven secure, and is equally cost-effective. It too makes use of AONTs and can 
be proven secure for any AONT meeting a notion of security that is actually weaker 
than that of [6], (In particular one can use OAEP or use the construct of [7] and avoid 
random oracles but there may be other more efficient instantiations.) The construction 
applies the AONT to the plaintext as before. Rather than scattering chaff into the output 
blocks, however, it simply treats a prefix of this output as the plaintext for the bit-by-bit 
chaffing-and-winnowing scheme and applies the latter. Theorem 3 provides a concrete 
security analysis of the final chaffing-and-winnowing scheme. 

1.5 Is Chaffing and Winnowing “Encryption”? 

We view chaffing-and-winnowing schemes as (special kinds of) symmetric encryption 
schemes, the key for encryption and decryption being that of the MAC function. This 
might at first seem to contradict Rivest’s view [1 1], He says that the process of chaffing 
and winnowing is “not encryption” and that there is no “decryption key.” These views 
are not at odds with each other; the difference is purely in terminology. We are using 
the technical terminology of cryptographers which is more suited to security analysis, 
while Rivest uses the terminology of cryptographic policy discussion. (The convention 
in modem cryptography, which we are following here, is to use the term “encryption 
scheme” for any mechanism whose goal is to provide privacy. Under this convention, 
the key for the MAC is, by definition, a decryption key, since it enables recovery of 
the plaintext from the ciphertext. In cryptographic policy, “encryption” seems to refer 
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to certain mechanisms rather than a goal. Actually, exactly what it refers to is unclear, 
which is part of the point made in [1 1].) 

2 Symmetric Encryption, PRFs, and AONTs 

Symmetric encryption. A symmetric encryption scheme SE = (/C, £, V) consists 
of a (randomized) key generation algorithm /C (returning a key K), a (randomized or 
stateful) encryption algorithm £ (taking K and a message M £ {0, 1}* to return a ci- 
phertext C ) and a decryption algorithm V (taking K and a ciphertext and returning a 
message). We require that D k (£k(M)) = M for all M £ {0, 1}*. In the “find-then- 
guess” model [2] an adversary is given an oracle for encryption under key K and wins if 
it can find two equal-length messages whose ciphertexts it can later distinguish. Below 
we associate to any adversary an “advantage” which measures its winning probabil- 
ity, and then use as security measure of the scheme the maximum possible advantage 
subject to stated resource restrictions on the adversary. 

Definition 1. (Find-then-guess security of encryption, [2]) Let SE = (1C, £, V) be a 

symmetric encryption scheme. For an adversary A and 6 = 0,1 define the experiment 
Experiment Exp^ IV (A, 6) 

AT £ /C ; (M 0 , Mi, St) «- A £ *(')(find) ; C «- £ K (M h ) ; 
d ■*- A e *U (guess, C, St) ; Return d 

Here St is some state information that the adversary may want to preserve to help it 
later. It is mandated that |Mo| = |Mi| above. Now define the advantage of A and the 
advantage function of the scheme respectively, as follows: 

Adv^ iv (A) = Pr [ ExpP" v (A, 0) = 0 ] - Pr [ ExpP" v (A, 1) = 0 ] 

AdvP " v (f , q, n) = max { Ad V P" v (A) } 

where the maximum is over all A with “time-complexity” t, making at most q encryp- 
tion oracle queries, these totalling at most y bits. I 

In this paper for simplicity we assume that all messages encrypted have the same length, 
usually denoted m. This means that /./, = rnq. We also assume that the length of each of 
the challenge messages is m. The “time-complexity” refers to the worst case execution 
time of experiment Exp^ lv (A) plus the size of the code of A, in some fixed RAM 
model of computation. We are considering only chosen-plaintext attacks, not chosen- 
ciphertext attacks. 

Pseudorandom functions. Consider a map F: (0,l} fe x5-^ {0, 1}* which takes 
a key K £ {0, l} fc and an input x from the domain S to return an output y = F(K, x). 
The domain S is for convenience (0, 1}*, or at least the set of all strings of length 
up to some very large maximum length. The notation g F is shorthand for K 
(0, l} fc ; g <— F(K, •). We let R denote the family of all functions of S to {0, 1}* so 
that g R. denotes the operation of selecting at random a function of S to (0, 1}*. 
A distinguisher D is an algorithm that takes an oracle for a function g: S —> {0, 1}*, 
and after computing with this oracle returns a bit. The following is the notion of [9] 
concretized as per [3], 
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Definition 2. Let F, R be as above, let D be a distinguishes and suppose t,q,/j. > 0. 
Define the advantage of D, and the advantage function of F, respectively, as 

AdvP rf (D) = Pr [ D 9 = 1 : g F ] - Pr [ D 9 = 1 : g ii] 

Adv^ rf (t, q, n) = max { Adv^ rf (D) } . 

where the maximum is over all D with time-complexity at most t, making at most q 
oracle queries, these totalling at most fj, bits. I 

All-or-nothing transforms. An all-or-nothing transform is an efficiently com- 
putable, keyless, randomized transformation AONT which maps a message to a se- 
quence of blocks such that given the AONT of some message, one can easily compute 
the original message [12], The (deterministic) inverse transformation permitting recov- 
ery of the message from the output is denoted AONT -1 . Security pertains to the ques- 
tion of what information you can compute about the message if you are given all but 
one of the output blocks, and several notions have been suggested [12,6,8]. We provide 
our formalization and compare it to the others later. 

We assume for simplicity that the AONT takes input messages of length m and 
has outputs of length sn. The attack allowed is non-adaptive, meaning the adversary 
fixes beforehand the position of the output block that will be omitted. Denote this by 

L g (1 «}. Dining the find stage the adversary comes up with a pair of messages 

Mo and Mi, both of length m. In its guess stage it is given a AONT for one of the 
plaintexts Mo, M 1; with block L missing. The adversary wins if it correctly guesses 
which message goes with the challenge AONT. If X e {0, l} sn is a string of s blocks, 
each n-bits long, then we let X [1 , . . . , L — 1 , L + 1 , . . . , s] denote the string consisting 
of blocks 1, . . . , L — 1, L + 1, . . . ,;S of X, meaning all but block L. 

Definition 3. Let AONT be a (randomized) algorithm taking an input of length m and 
returning an output of length sn. Let L e {1, . . . , s} be a block number. St denotes 
some state information. For b = 0, 1 define the experiment 

Experiment Exp^j x L (A, b) 

(Mg, M g St) <— A(find) ; C <- AONT(M b )[l, . . . , L - 1, L + 1, . . . , s] ; 
d <— A(guess, C, St ) ; Return d 

Now define the advantage of A and the advantage function of AONT, respectively, as 
follows: 

Adv AONT,.L( A ) = Pr [ Exp^NT.zXA 0) = 0 ] — Pr [ Exp^NT.zXA 1) = 0 ] 
Adv AONT,i, W = max { Adv^ T L {A) } 
where the maximum is over all A with “time-complexity” t. I 

We now compare this to other notions, in all cases considering an adversary having 
a string C consisting of all but one block of the output. Rivest [12] asks that given 
C it be computationally infeasible to get any non-trivial information about any block 
of the message. Our definition is stronger than his, meaning any AONT secure in our 
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MAC(A, ) I dtl, . . . ,dt n 


Fig. 1. Authentication channel 


sense is secure in his sense. Boyko’s definition of security [6] asks that given C it be 
computationally infeasible to get any non-trivial information about the message as a 
whole, not just individual blocks. Desai [8] asks that C be indistinguishable from a 
random string of the same length. Our definition is weaker than either of these, in the 
sense that any AONT secure in their sense is secure in our sense. 


3 Defining Chaffing and Winnowing 

Fix a map MAC: {0, \} k x {0, 1}* — > {0, 1}- to be used as a message authentication 
code. (Security assessments will assume that this map is a pseudorandom function, but 
discussions and constructions will refer to it as a MAC.) A packet is a pair (dt,tg) 
consisting of data dt and a tag tg where the length of tg is i-bits, the length of the 
output of MAC. A packet (dt, tg) is valid with respect to MAC/^ — where K £ {0, 1 } k 
is some key for the MAC — if MAC^(dt) = tg, and invalid with respect to MAC/^ 
otherwise. When M ACk is understood, we simply talk of valid and invalid packets. 

The sender and receiver have an authenticated channel of communication based on 
the MAC. Each party has a module responsible for authentication. These modules hold 
in common a key K £ (0, l} fc for the MAC. When the sender wants to send data 
dt to the receiver in an authenticated way, the sender passes dt to its authentication 
module, which creates the (valid) packet Pkt = (dt, MAC (AC dt)). This packet is sent 
to the receiver. We call this the “tag” procedure. The packet is received by the receiver’s 
authentication module, which verifies the tag. If the tag is valid, it passes the data “up” 
to the receiver. If the tag is not valid, the packet is simply discarded; nothing is passed up 
to the receiver. The receiving module thus acts as a “filter”, separating “wheat” (valid) 
packets from “chaff” (invalid) packets, and passing to the receiver only the data from 
the valid packets. This is what [11] calls the “winnow” procedure. The two procedures 
are specified in detail below, and the channel is depicted in Figure 1 . 


Definition 4. [MAC-based tag and winnow procedures] We associate to a MAC 
function MAC: (0, l} fc x (0, 1}* — > (0, 1} / the following tag and winnow procedures. 
The tag procedure produces a valid packet from the input data. The winnow procedure 
takes as input a stream of packets and returns the data of the valid packets: 
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Algorithm Tag MAC(K '' ) Algorithm Winnow MAC(K ’ ) (Pkti, . . . , Pkt(,,) 

For i = 1, . . . ,n do Fori = 1, . . . ,n' do 

tg* <- MAC(A, dt<) Parse Pkt' as (dt, tg) 

Return (dti,tg*) If MAC(A, dt) = tg then return dt 

EndFor EndFor 

Here K e {0, l} fc is a key for the MAC and n is the number of packets in the input 
stream. I 

The receiver has no direct access to the packets or their MACs, no access to (or even 
knowledge of) the invalid packets, which are simply discarded by the winnow proce- 
dure. The receiver only gets, in order, the data part of the valid packets. 

Definition 5. [ATPT] An authentication to privacy transform (ATPT) with tag length 
l is a triple ATPT = (MakeWheat, AddChaff, Recover) of algorithms, where 

• MakeWheat takes as input a message M and returns a sequence w±,. . . ,w n of 
strings called the wheat strings 

• AddChaff takes as input a sequence Pkti, . . . , Pkt n of packets called the wheat 
packets and returns another sequence Pkt^ , . . . , Pkt' t , of packets 

• Recover takes as input strings w\ , ,w n and returns a message M. 

The first two algorithms can be probabilistic or stateful (accessing a global state variable 
such as a counter). The last algorithm is usually deterministic and stateless. I 

An ATPT above is used in combination with an authentication channel to provide con- 
fidentiality. The way the process works is depicted and explained in Figure 2. Our inter- 
est is in the security of this entire procedure viewed as a symmetric encryption scheme. 
For this purpose it is convenient to think of it more as a standard symmetric encryption 
scheme, consisting of a key generation, encryption and decryption procedure. (The fact 
that it works by chaff and winnow is irrelevant to the security, although of course cru- 
cial to policy debate.) Below, we specify the symmetric encryption scheme that results 
from running a given ATPT over a given authentication channel, by specifying the three 
constituent algorithms. 

Definition 6. Let ATPT = (MakeWheat, AddChaff, Recover) be an ATPT with tag 
length l, and let MAC: (0, l} k x (0, 1}* — > (0, 1}* be a MAC. Associated to them is 
a canonical encryption scheme ( 1C , £, V). The key generation algorithm 1C is the same 
as that of the MAC, namely it outputs a random fc-bit key K, and the encryption and 
decryption algorithms are as follows: 

Algorithm E K {M) Algorithm D K { Pkti, . • • ,Pkt' B ,) 

(wi , . . . , w n ) <— MakeWheat(M) (dti, . . . , dt n ) <— 

Fori = l,...,ndo Winnow MAC(K ->(Pkti, . . . ,Pkt' B ,) 

Pkt, <— ( Wi , MACjsr(wi)) M <— Recover(dti, . . . , dt„) 

EndFor Return M 

(Pkti, • • • • Pkt^) <- 

AddChaff (Pkti,..., Pkt n ) 

Return Pkti, • • ■ , p kt„/ 

We require that V k (£k{M)) = M for all M € {0, 1}*. I 
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The (plaintext) message M is first processed 
by a (keyless) transform MakeWheat to yield 
a sequence wi, ... ,w„ of strings, each of 
which is MACed to yield a stream PkttfpH- 
(tuijtgi), , Pkt„ = ( w„,tg n ) of valid 
packets, where tg; = MAC (K,Wi) for i = 
1, . . . , n. The (keyless) AddChaff procedure 
adds chaff packets to produce a new stream 
Pkt'i , . . . , Pkt^/ of packets (the ciphertext) 
which is sent to the receiver. They hit the re- 
ceiver’s winnow (cf. Definition 4) which dis- 
cards packets with invalid MACs, and passes 
up to the receiver the data from the valid 
packets. A (keyless) Recover procedure now 
puts this data together to get back the origi- 
nal message M. The three keyless algorithms 
MakeWheat, AddChaff, and Recover com- 
prise what we call the ATPT (authentication to 
privacy transform) — they enable the possibil- 
ity of obtaining confidentiality via an existing 
authentication channel without the addition of 
any extra cryptographic elements. 


Fig. 2. Chaff-and-winnow based “encryption”. 


The last requirement is made so that this is a valid symmetric encryption scheme, mean- 
ing correctly encrypted data can be decrypted by a receiver that knows the secret key. 

In the sequel, we will specify chaff-and-winnow based encryption schemes directly 
as standard symmetric encryption schemes, because this is more conducive to security 
assessments. Accordingly it is useful to have the following terminology. 

Definition 7. Let SE = (1C, £, V) be a symmetric encryption scheme. We say that SE is 
a chaff-and-winnow based encryption scheme if there exists an ATPT transform ATPT 
and a MAC MAC: {0, l} fe x {0, 1}* — * {0, l } 1 such that SE is exactly the canonical 
confidentiality procedure associated to ATPT and MAC as per Definition 6. I 

4 Analysis of Rivest’s Schemes 

As above, MAC: {0, \ } k x {0, 1}* — * {0, l} 1 is a message authentication code. In 
the bit-by-bit scheme, the sender maintains a counter ctr that is initially zero. The en- 
cryption procedure (more precisely, the M a keWheat algorithm) increments this counter 
upon each invocation. Assume all messages to be encrypted have length m. 
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Scheme 1. [Bit-by-bit CW] The key generation algorithm /C of this symmetric en- 
cryption scheme returns a random k - bit key K for the MAC, and the encryption and 
decryption algorithms are as follows: 


Algorithm £k(M) 


[Algorithm X>jf(Pkti, . . . ,Pkt 2 m) 


Break M into bits, M = bi . . . b m 
Fori = 1, ... ,m do 

tg[i, bi] <- MAC(A, 6i||(ctr + *)) 
tg [iM £ {0, 1} ! 

Pkt[i, 0] <— (0||(ctr + i),tg[i, 0]) 
Pkt[i, 1] <- (l||(ctr + i),tg[i, 1]) 
EndFor 
ctr <— ctr + m 

Return Pkt[l, 0], Pkt[l, 1], . . . , 
Pkt[m, 0], Pkt[m, 1] 


For i = 1, . . . , 2m do 
Parse Pkt< as (dt,tg) 

If MAC(A,dt) =tg 

then return first bit of dt 
EndFor 


Here b denotes the complement bit of b and (i) denotes the binary representation of 
integer i as a binary string of some fixed, predefined length p. The “wheat” packets are 
Pkt[i, bi\ for i = 1, . . . , m and the “chaff’ packets are Pkt[i, for i = I , rn. I 

In the full version of this paper [1] we show formally that the above (and other schemes 
of this paper) are chaff-and-winnow based encryption schemes by saying what are the 
algorithms MakeWheat, AddChaff, and Recover. 

The following theorem shows that this scheme meets the “find-then-guess” notion 
of privacy under the assumption that MAC is a PRF. The reduction is almost tight. The 
proof is in [1], 

Theorem 1. Let MAC: {0, l} fe x {0, 1}* — > {0, 1}* be a pseudorandom function and 
let SE = (1C, £. T>) be the bit-by-bit chaff-and-winnow based encryption scheme of 
Scheme 1. Assume the counter is p-bits long. Then for any t, q, p with p < 2 P - 

Ad ^sE V (t, q,v)< 2 • Advjy f AC (t, q' , p') , 
where q' = p and p! = (1 + p)p. I 


If the counter is allowed to wrap around the scheme is obviously insecure. It is possible 
to use randomness instead of a counter. In this case each bit of the message is concate- 
nated with random value represented as a string of some fixed predefined length. This 
value is drawn at random for each bit of the message. The analysis is analogous but the 
concrete security is worse due to birthday attacks. 

The security of these schemes comes with a price. They are very inefficient since 
they have large data expansion: if the message is m bits long then 2m (1 + p + l) bits 
are transmitted, where p is the length of a counter and l is the length of the output of 
the MAC. Bleichenbacher suggested that it is possible to reduce the communication 
cost by a factor of two by selecting at random and sending just one packet for each 
bit, either a chaff or a wheat packet. The receiver checks the validity of the data packet 
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and complements the bit if the packet is invalid. Bleichenbacher further suggested that 
it is possible to reduce the communication even more if the sender authenticates each 
byte of the message and transmits only the computed MAC, but not the byte itself. The 
receiver then has to compute MACs for all possible bytes and take that for which the 
MACs match. 

Another scheme mentioned in [11] authenticated message blocks of some length 
rather than single bits, but the author already indicated that it was insecure under strin- 
gent notions of privacy such as the one we use here. We go on to the scattering scheme. 

As before let MAC: {0, \} k x {0, 1}* — > {0, 1}* be our message authentication 
code. In the scattering scheme, the output of an AONT is viewed as a sequence of s 
blocks, each n bits long. The ciphertext will contain s wheat packets interspaced with 
s' > 0 chaff packets, where s' is a parameter of the scheme. The wheat packet positions 
are a random subset of {1, . . . , s + s'}. The full description follows. 


Scheme 2. [Scattering scheme] We fix an all-or-nothing transform AONT : {0, l} m 
— > {0, l} 5 ". We assume that all messages to be encrypted have length m. The key 
generation algorithm /C of this symmetric encryption scheme returns a random fc-bit 
key K for the MAC, and the encryption and decryption algorithms are as follows: 


Algorithm £k{M) 

M' <- AONT(M) 

Parse M' as mi||m 2 || • • • || m s where \m,i\ = 
Pick S C {1, . . . , s + s'} at random 
subject to |S] = s 

j<- o 

For i =sl i .---,s + s' do 

If * e S' then 

3 3 + 1 

tg[i] <- MAC (K, mj ) 

P kt [*] <- (Jnj,tgyj) 

else 

dt[i] {0, l} n 
tg[i] £ (0, 1}' 

P kt [*] «- (dt[i],tg[i]) 

Endlf 

EndFor 

Return Pkt[l], Pkt[2], . . . Pkt[s + s'] 


Algorithm V K (Pkti, . . . , Pkt s+s /) 

For i = 1, . . . , s + s' do 
Parse Pkt ( as (dt, tg) 

If MAC (A, dt) = tg 
then mi <— dt 
EndFor 

M <- AONT • • • ||m s ) 

Return M 


The most obvious attack is to test each group of s packets to see whether they are 
the wheat packets. The adversary goes through all size s subsets of the packets. In each 
case it forms a candidate output of AONT and applies AON1 1 . Assuming it knows 
some partial information about the message, it can tell when it got the choice of the 
subset right. The time taken by this attack is proportional to ( ,s ^ ,s ) . 

The intuition for security given in [11] is that this is the best possible attack. The 
complexity is large as long as both s and s' are above some minimal threshold; for 
example, both more than 128. Accordingly we could set s' = 128 and choose the 
AONT so that its output always had at least 128 blocks. 
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A closer look reveals however that security is not so straightforward. For example, 
another thing to consider is the effect of equal data blocks. If the data blocks in two 
packets are equal, an adversary can get some information by looking at their tags: if the 
tags are unequal, they cannot both be wheat packets, because the MAC is deterministic. 
This can reduce the complexity of an attack, indicating that the time-complexity of an 
attack must also be a function of the block size n of the output. 

There are other such considerations, but more importantly, we claim that Rivest’s 
notion of security for the AONT can be shown to be insufficient to make this scheme se- 
cure. An example illustrating this is to consider an AONT each of whose output blocks 
has the property that the first few bits are 0. (One can show that if any AONT meeting 
Rivest’s definition exists , then so does one with this property.) But with this AONT, 
Scheme 2 can be broken because wheat packets can be distinguished from chaff pack- 
ets: the wheat packets are the ones whose data has first few bits zero. The same counter- 
example shows that Definition 3 is also not enough. 

The example AONT we constructed above does not however meet Boyko’s stronger 
notion of security for AONTs [6], so the next question is whether Scheme 2 could be 
proven secure under this stronger notion. However even with this stronger notion it is 
unclear one can prove security. The reason is that the ciphertext contains the complete 
output of the AONT, while the security property of the AONT pertains to a setting 
where the adversary has no information about at least one block of the output of the 
AONT. This makes it unclear how to do a reduction. Indeed, the security property of an 
AONT does not seem to mesh well with what is required to prove security of Scheme 2. 
We will see next that a positive statement can be made by considering a particular 
AONT, namely the OAEP transform of Bellare and Rogaway [5]. But in general, as the 
transform used in the initial step, an AONT seems to be neither sufficient nor necessary 
for the security of Scheme 2. 

The OAEP transform appeals to random oracles G: (0, 1}” — > (0, l}" 1 and H: 
(0, l} m — > {0, l} ra where n is the length of the OAEP seed and m as usual is the 
message length. It takes as input an m-bit string M and proceeds as follows- 

Algorithm OAEP G ’ H (M) 

r £ (0, 1}" ; y <- G(r) © M ; w <- H(y) 0 r ; Return tu||y 

Boyko showed that OAEP is an AONT, but this will not help us here given the above dis- 
cussion. Instead, we go back to the transform itself and prove the security of Scheme 2 
when AONT is set to OAEP. 

As with any proof concerning OAEP, we work in the random oracle model of [4], 
We must “lift” our definitions to allow all algorithms and parties, including the adver- 
sary, access to the random oracles G, H. Briefly, modify Expl^^A, b) in Definition 1 
to begin by picking G, H randomly. Allow £k and A oracle access to G, H. Allow 
the scheme advantage to take extra parameters, Advgg lv (t, q, /i: qcj , q n ) , these being 
bounds on the number of queries made by the adversary to the oracles in question. 

The bound below reflects the above intuition: it is inversely proportional to ( s + s ) 
and also to 2". This shows that for OAEP the security is what one would have liked it 
to be for a “good” AONT. The proof of Theorem 2 can be found in [1], 
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Theorem 2. Let n,mbe integers with m a multiple of n. Let ‘MAC: {0, l} fe x{0, 1}* — > 
{0, l} 1 be a pseudorandom function. Let SE = (/C, £,T>) be Scheme 2 using OAEP 
as the AONT, with parameters n,s,s' where s = m/n + 1. For any t,q we let 
p = nq(s — 1). Assume qa < 2"/2 and q G < (1/2) • ( s + s ). Then 


Adv£” v (f, q, p; q G , q H ) < 

p_ + 2, c + (9+ i)M( S+s y + i] + A( j v p r ^ c( t , ) 


where t' = t,q' = q(s + s') and p! = nq(s + s'). 


5 A New Chaffing-and- Winnowing Scheme 

Here we suggest an alternative scheme that has low data expansion and analyze its 
advantage function. It returns to much more “standard” paradigms of encryption than 
the scattering scheme. Simply apply an AONT to the message and then encrypt the 
first block of the message. If the last encryption is done by chaffing-and-winnowing, 
say using the bit-by-bit scheme, the whole scheme is also a chaffing-and-winnowing 
scheme, since the AONT is keyless. The savings in bandwidth comes from the fact that 
the number of bits encrypted using the bit-by-bit scheme is independent of the length 
of the message. 

Scheme 3. Let AONT be an all-or-nothing transform taking input messages of length 
m and returning outputs of length sn. The output is viewed as a sequence of n-bit 
blocks. Let se = (/C, e, d) be the bit-by-bit scheme of Scheme 1 with message space 
(0, l} n . The new scheme is SE = (/C, £, D) where 


Algorithm £ K {M) 

M' <- AONT(M) 

Let m! be the first block of M' and 
Ci <— ejr(m') 

Return Ci||(m", MAC(A, m")) 


Algorithm ©x(Ci||(m",T)) 
m’ d K (Ci) 


M <- AONT _1 (M') 

Return M 


Note that the MAC attached to m" is irrelevant to security; it is only there in order to 
make the final scheme a chaffing-and-winnowing scheme. I 

We now analyze the security of Scheme 3. Refer to Definition 3 for the definition 
of the advantage function of AONT and note that L = 1 in this case, meaning we are 
requiring security only in the case where the first block is the one not provided to the 
adversary. A proof of the following theorem is in [1], 

Theorem 3. Let MAC: (0, l} fc x {0,1}* — > {0,1}* be a pseudorandom function 
and let AONT be an all-or-nothing transform with input length m, output length sn. 
Let SE = (/C, £. D) be Scheme 3 using AONT as the all-or-nothing transform and 
Scheme 1 as se. Assume the counter in the latter is p-bits long. Then for any t, q, p with 
p = qm and qn < 2 P - 
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Adv^ lv (i, q,n)<2- Adv^ c (t, q u Mi) + Adv^ X)1 (t) 

where qi = q(n + 1) and pi = qn(s + p). I 

A concrete instantiation can be obtained by using OAEP in the role of the AONT. The 
security of this instantiation relies on the fact that OAEP is a secure AONT [6], and the 
concrete security can be obtained by combining the above with the results in [6]. (In 
that case we would have to lift all of the above to the random oracle model, but this is 
easily done.) 
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Abstract. We consider two possible notions of authenticity for symmetric en- 
cryption schemes, namely integrity of plaintexts and integrity of ciphertexts, 
and relate them to the standard notions of privacy for symmetric encryption 
schemes by presenting implications and separations between all notions consid- 
ered. We then analyze the security of authenticated encryption schemes designed 
by “generic composition,” meaning making black-box use of a given symmetric 
encryption scheme and a given MAC. Three composition methods are consid- 
ered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then- 
MAC. For each of these, and for each notion of security, we indicate whether or 
not the resulting scheme meets the notion in question assuming the given sym- 
metric encryption scheme is secure against chosen-plaintext attack and the given 
MAC is unforgeable under chosen-message attack. We provide proofs for the 
cases where the answer is “yes” and counter-examples for the cases where the 
answer is “no.” 


1 Introduction 

We use the term authenticated encryption scheme to refer to a shared-key based trans- 
form whose goal is to provide both privacy and authenticity of the encapsulated data. In 
such a scheme the encryption process applied by the sender takes the key and a plain- 
text to return a ciphertext, while the decryption process applied by the receiver takes 
the same key and a ciphertext to return either a plaintext or a special symbol indicating 
that it considers the ciphertext invalid or unauthentic. 

The design of such schemes has attracted a lot of attention historically. The early 
schemes were typically based on adding “redundancy” to the message before CBC 
encrypting, and many of these schemes were broken. Today authenticated encryption 
schemes continue to be the target of design and standardization efforts. A popular mod- 
em design paradigm is to combine MACs with standard block cipher modes of opera- 
tion. 

The goal of symmetric encryption is usually viewed as privacy, but an authenti- 
cated encryption scheme is simply a symmetric encryption scheme meeting additional 
authenticity goals. The first part of this paper formalizes several different possible no- 
tions of authenticity for symmetric encryption schemes, and integrates them into the 
existing mosaic of notions by relating them to the main known notions of privacy for 
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symmetric encryption, via implications and separations in the style of [3], The second 
part of this paper is motivated by emerging standards such as [16] which design au- 
thenticated encryption schemes by what we call “generic composition” of encryption 
and MAC schemes. We analyze, with regard to meeting the previous notions, several 
generic composition methods. Let us now look at these items in more detail. 

1.1 Relations among Notions 

Privacy goals for symmetric encryption schemes include indistinguishability and non- 
malleability, each of which can be considered under either chosen-plaintext or (adap- 
tive) chosen-ciphertext attack, leading to four notions of security we abbreviate 
IND-CPA, IND-CCA, NM-CPA, NM-CCA. (The original definitions were in the asym- 
metric setting [12,10,18] but can be “lifted” to the symmetric setting using the en- 
cryption oracle based template of [2]). The relations among these notions are well- 
understood [3,1 1], (These papers state results for the asymmetric setting, but as noted 
in [3] it is an easy exercise to transfer them to the symmetric setting.) 

We consider two notions of integrity (we use the terms authenticity and integrity in- 
terchangeably) for symmetric encryption schemes. INT-PTXT (integrity of plaintexts) 
requires that it be computationally infeasible to produce a ciphertext decrypting to a 
message which the sender had never encrypted, while INT-CTXT (integrity of cipher- 
texts) requires that it be computationally infeasible to produce a ciphertext not previ- 
ously produced by the sender, regardless of whether or not the underlying plaintext is 
“new.” (In both cases, the adversary is allowed a chosen-message attack.) The first of 
these notions is the more natural security requirement while the interest of the second, 
stronger notion is perhaps more in the implications we discuss below. 

These notions of authenticity are by themselves quite disjoint from the notions 
of privacy; for example, sending the message in the clear with an accompanying 
(strong) MAC achieves INT-CTXT but no kind of privacy. To make for useful com- 
parisons, we consider each notion of authenticity coupled with IND-CPA, the weakest 
notion of privacy; namely the notions on which we focus for comparison purposes are 
INT-PTXT A IND-CPA and INT-CTXT A IND-CPA. (Read “A” as “and”.) 

Figure 1 shows the graph of relations between these notions and the above- 
mentioned older ones in the style of [3], An “implication” A — > B means that every 
symmetric encryption scheme meeting notion A also meets notion B. A “separation” 
A /> B means that there exists a symmetric encryption scheme meeting notion A but 
not notion B. (This under the minimal assumption that some scheme meeting notion A 
exists since otherwise the question is moot.) Only a minimal set of relations is explicitly 
indicated; the relation between any two notions can be derived from the shown ones. 
(For example, IND-CCA does not imply INT-CTXT A IND-CPA because otherwise, by 
following arrows, we would get IND-CCA — > INT-PTXT A IND-CPA contradicting a 
stated separation.) The dotted lines are reminders of existing relations while the num- 
bers annotating the dark lines are pointers to Propositions or Theorems in this paper. 

A few points may be worth highlighting. Integrity of ciphertexts — even when cou- 
pled only with the weak privacy requirement IND-CPA — emerges as the most pow- 
erful notion. Not only does it imply security against chosen-ciphertext attack, but it is 
strictly stronger than this notion. Non-malleability — whether under chosen-plaintext or 
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[3,11] 

IND-CCaJ -* * \ NM-CCA | 

[3] 1 easy 

easy [10] ""'s i 

* | IND-CPA \ * 1 NM-CPA | 



Fig. 1. Relations among notions of symmetric encryption: An arrow denotes an im- 
plication while a barred arrow denotes a separation. The full arrows are relations proved 
in this paper, annotated with the number of the corresponding Proposition or Theorem, 
while dotted arrows are reminders of existing relations, annotated with citations to the 
papers establishing them. 


chosen-ciphertext attack — does not imply any type of integrity. The intuitive reason is 
that non-malleability only prevents the generation of ciphertexts whose plaintexts are 
meaningfully related to those of some challenge ciphertexts, while integrity requires 
it to be hard to generate ciphertexts of new plaintexts even if these are unrelated to 
plaintexts underlying any existing ciphertexts. Finally, INT-PTXT A IND-CPA does not 
imply INT-CTXT A IND-CPA. 

1.2 Analysis of Generic Composition 

There are many possible ways to design authenticated encryption schemes. We focus in 
this paper on “generic composition:” simply combine a standard symmetric encryption 
scheme with a MAC in some way. There are a few possible ways to do it, and our goal 
is to analyze and compare their security. (The motivation, as we will argue, is that these 
“obvious” methods, as often the case in practice, remain the most pragmatic from the 
point of view of performance and security architecture design.) 

Generic composition. Assume we are given a symmetric encryption scheme S£ 
specified by an encryption algorithm £ and a decryption algorithm V. (Typically this 
will be a block cipher mode of operation.) Also assume we are given a message authen- 
tication scheme M. A specified by a tagging algorithm T and a tag verifying algorithm 
V and meeting some appropriate notion of unforgeability under chosen-message at- 
tack. (Possibilities include the CBC-MAC, HMAC [1], or UMAC [8]). We consider the 
following methods of “composing” these schemes in order to create an authenticated 
encryption scheme meeting either INT-CTXT A IND-CPA or INT-PTXT A IND-CPA. 
We call them “generic” because the algorithms of the authenticated encryption scheme 
appeal to the given ones as black-boxes only: 
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Fig. 2. Summary of security results for the composed authenticated encryption schemes 
under the assumption that the given encryption scheme is IND-CPA and the given MAC 
is weakly unforgeable. 
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Fig. 3. Summary of security results for the composed authenticated encryption schemes 
under the assumption that the given encryption scheme is IND-CPA and the given MAC 
is strongly unforgeable. 


— Encrypt-and-MAC plaintext: £K e ,K m (M) = £ Ke (M)\\T Km (M). 1 Namely, en- 
crypt the plaintext and append a MAC of the plaintext. “Decrypt+verify” is per- 
formed by first decrypting to get the plaintext and then verifying the tag. 

— MAC-then-encrypt: £K e ,K m (M ) = £ Ke (M\\T Km (M)). Namely, append a MAC 
to the plaintext and then encrypt them together. “Decrypt+verify” is performed by 
first decrypting to get the plaintext and candidate tag, and then verifying the tag. 

— Encrypt-then-MAC: £K e ,K m {M) = C\\T Km {C) where C = £ Ke (M). Namely, 
encrypt the plaintext to get a ciphertext C and append a MAC of C. “De- 
crypt+verify” is performed by first verifying the tag and then decrypting C. This 
is the method of Internet RFC [16], 

Here £ is the encryption algorithm of the authenticated encryption scheme while the 
“decrypt+verify” process specifies a decryption algorithm V. The latter will either re- 
turn a plaintext or a special symbol indicating that it considers the ciphertext unauthen- 
tic. 

Security RESULTS. Figure 2 and Figure 3 summarize the security results for the three 
composite authenticated encryption schemes. (We omit NM-CCA since it is equivalent 
to IND-CCA). Figure 2 shows the results assuming that the base MAC is weakly un- 
forgeable while Figure 3 shows the results assuming that the MAC is strongly unforge- 

1 Here (and everywhere in this paper) “||” denotes an operation that combines several strings 
into one in such a way that the constituent strings are uniquely recoverable from the final one. 
(If lengths of all strings are fixed and known, concatenation will serve the purpose.) 
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able. Weak unforgeability is the standard notion [4] — it should be computationally 
infeasible for the adversary to find a message-tag pair in which the message is “new,” 
even after a chosen-message attack. Strong unforgeability requires that it be computa- 
tionally infeasible for the adversary to find a new message-tag pair even after a chosen- 
message attack. (The message does not have to be new as long as the output tag was not 
previously attached to this message by the legitimate parties.) We note that any pseu- 
dorandom function is a strongly unforgeable MAC, and most practical MACs seem to 
be strongly unforgeable. Therefore, analyzing the composition methods under this no- 
tion is a realistic and useful approach. Entries in the above tables have the following 
meaning: 

— Secure: The composite encryption scheme in question is proven to meet the secu- 
rity requirement in question, assuming only that the component encryption scheme 
meets IND-CPA and the message authentication scheme is unforgeable under 
chosen-message attack. 

— Insecure: There exists some IND-CPA secure symmetric encryption and some mes- 
sage authentication scheme unforgeable under chosen-message attack such that the 
composite scheme based on them does not meet the security requirement in ques- 
tion. 

As we can see from Figure 3, the encrypt-then-MAC method of [16] is secure from all 
points of view, making it a good choice for a standard. 

The use of a generic composition method secure in the sense above is advantageous 
from the point of view both of performance and of security architecture. The perfor- 
mance benefit arises from the presence of fast MACs such as HMAC [1] and UMAC 
[8]. The architectural benefits arise from the stringent notion of security being used. 
To be secure, the composition must be secure for all possible secure instantiations of 
its constituent primitives. (If it is secure for some instantiations but not others, we de- 
clare it insecure.) An application can thus choose a symmetric encryption scheme and 
a message authentication scheme independently (these are usually already supported 
by existing security analyses) and then appeal to some fixed and standard composition 
technique to combine them. No tailored security analysis of the composed scheme is 
required. 

In Section 4 we state formal theorems to support the above claims, providing quanti- 
tative bounds for the positive results, and counter-examples with attacks for the negative 
result. For brevity, we provide theorems and proofs for only the results in Figure 3 (i.e. 
the strong MAC case). 

Quantitative results and comparisons. Above we have discussed our results 
at a qualitative level. Each result also has a quantitative counterpart; these are what our 
theorems actually state and prove. These “concrete security” analyses enable a designer 
to estimate the security of the authenticated encryption scheme in terms of that of its 
components. All the reductions in this paper are tight, meaning there is little to no loss 
of security. 
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1.3 Related Work 

The notions IND-CCA, NM-CCA were denoted IND-CCA2 and NM-CCA2, respec- 
tively, in [3]. The chosen-ciphertext attacks here are the adaptive kind [18]. Considera- 
tion of non-adaptive chosen-ciphertext attacks [17] leads to two more notions, denoted 
IND-CCA1 and NM-CCA1 by [3], who worked out the relations between six notions 
of privacy, these two and the four we consider here. (Their results hold for both the 
asymmetric and the symmetric settings, as mentioned before.) Three additional notions 
of privacy are considered and related to these six by [14], In this paper, we have for sim- 
plicity avoided consideration of all the possible notions of privacy, focusing instead on 
what we consider the (four) main ones and their relations to the notions of authenticity. 
Relations of the remaining notions of privacy to the notions of authenticity considered 
here can be easily worked out. 

Authenticity of an encryption scheme has been understood as a goal by designers for 
many years. The first formalization of which we are aware is that of [6]. (Early versions 
of their work date to 1998.) The notion they formalized was INT-CTXT. The formal- 
ization of INT-PTXT we use here seems to be new. In independent and concurrent work 
(both papers were submitted to FSEOO) Katz and Yung [15] formalize INT-CTXT plus 
two other notions of authenticity not considered here. They also observe the implication 
INT-CTXT A IND-CPA -► IND-CCA. 

Generic composition is one of many approaches to the design of authenticated en- 
cryption schemes. Two more general approaches are “encryption with redundancy” — 
append redundancy to the message before encrypting, the latter typically with some 
block cipher mode of operation — and “encode then encipher” [6] — add random- 
ness and redundancy and then encipher rather than encrypt. As indicated above, at- 
tacks have been found on many encrypt with redundancy schemes. Encode then en- 
cipher, however, can be proven to work [6] — meaning yields schemes achieving 
INT-CTXT A IND-CPA — but requires a variable-input length pseudorandom permu- 
tation, which can be relatively expensive to construct. In addition, there are many spe- 
cific schemes. One such scheme is the RPC mode of [15] but it is computation and 
space inefficient compared to the generic composition methods. (Processing an n-block 
plaintext requires (1 + c)n block cipher computations and results in a ciphertext of this 
many blocks, where c > 0.3.) Another scheme is the elegant IACBC mode of Jutla 
[13] which uses n + 0(log n) block cipher operations to process an n-block plaintext. 
Implementation and testing would be required to compare its speed with that of generic 
composition methods that use fast MACs (cf. [1,8]). 

Authenticated encryption is not the only approach to achieving security against 
chosen-ciphertext attacks. Direct approaches yielding more compact schemes have been 
provided by Desai [9], 

2 Definitions 

We present definitions for symmetric encryption following [2], first specifying the syn- 
tax — meaning what kinds of algorithms make up the scheme — and then specifying 
formal security measures. Associated with each scheme, each notion of security and 
each adversary is an advantage function that measures the success probability of this 
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adversary as a function of the security parameter. We define asymptotic notions of se- 
curity result by asking this function to be negligible for adversaries of time complexity 
polynomial in the security parameter. Concrete security assessments are made by as- 
sociating to the scheme another advantage function that for each value of the security 
parameter and given resources for an adversary returns the maximum, over all adver- 
saries limited to the given resources, of the success probability. 

The concrete security assessments are important in practical applications — block 
cipher based schemes have no associated asymptotics. Hence, we provide concrete se- 
curity assessments for all positive results (implications or proofs that composition meth- 
ods meet some notion of security). For simplicity, however, negative results (separations 
or counter-examples) are phrased in the asymptotic style. (Concrete security statements 
are, however, easily derived from the proofs.) 

Syntax of (symmetric) encryption schemes. A ( symmetric ) encryption 
scheme S£ = (1C, £, T>) consists of three algorithms. The randomized key generation 
algorithm 1C takes input a security parameter k £ N and returns a key K; we write 
K <— K(k). The encryption algorithm £ could be randomized or stateful. It takes the 
key K and a plaintext M to return a ciphertext C; we write C <— £k(M). (If random- 
ized, it flips coins anew on each invocation. If stateful, it uses and then updates a state 
that is maintained across invocations.) The decryption algorithm V is deterministic and 
stateless. It takes the key K and a string C to return either the corresponding plaintext 
M or the symbol _L; we write x <— Vk(C) where x £ {0, 1}* U {A}. We require 
that Dk(£k(M)) = M for all M £ (0, 1}*. An authenticated encryption scheme is 
syntactically identical to an encryption scheme as defined above; we will use the term 
only to emphasize cases where we are targeting authenticity goals. 

Privacy. We measure indistinguishability via the “left-or-right” model of [2], Define 
the left-or-right oracle £ k (£ 1C(-, b)), where b £ (0, 1}, to take input (xo,xi) and 
do the following: if b = 0 it computes C <— £k(x 0 ) and returns C; else it computes 
C <— £k(x i) and returns C. The adversary makes oracle queries of the form (xq,x-i) 
consisting of two equal length messages and must guess the bit b. To model chosen- 
ciphertext attacks we allow the adversary to also have access to a decryption oracle. 


Definition 1. (Indistinguishability of a Symmetric Encryption Scheme [2]) Let 

S£ = (1C, £ , V) be a symmetric encryption scheme. Let b £ (0, 1} and k £ N. Let 
A cpa be an adversary that has access to the oracle £k(CTC(-, •, b)) and let A cca be an 
adversary that has access to the oracles £k(C1Z(-, &)) and T>k(-)- Now, we consider 
the following experiments: 


Experiment Exp^ £ "^ pa ""(A;) 
K £ jc(k) 

x - A e c ^ ^\k) 


Experiment Exp 5 £"^ ca " 6 (A:) 
K <£- K(k) 

x A £K(.CTZ( :-,b)),-DK( ) 


(k) 


Above it is mandated that A cca never queries 'Dk(-) on a ciphertext C output by the 
£k(££C(-, •, b)) oracle, and that the two messages queried of £k(£'R-(:, •, b)) always 
have equal length. We define the advantages of the adversaries via 
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= Pr [ Ex p -■ [Ex P -t-;:°(fc) = i ] 

Ad^ij;jk) = Pr [ Expg^J 1 ^ = 1 ] - Pr [ Exp£*^(*) = 1 ] . 

We define the advantage functions of the scheme as follows. For any integers t, q e ,q<u 

Ad Vs|' cpa (M,?e,M) = rnax{ Adv5 n |'^ p a a (k) } 

Ad-v 1 g£~ cca '(k,t, q e , qa, n) = maxIAdv^J 1 "^ ( k )} 

where the maximum is over all A cpa , A cca with “time complexity” t, each making 
at most q e queries to the £k(CR-(-, •, b )) oracle, totaling at most p bits, and, in the 
case of A cca , also making at most q,i queries to the T>k ( •) oracle. The scheme S£ 
is said to be IND-CPA secure (resp. IND-CCA secure) if the function Adv^"^ pa (-) 
(resp. Advs|"jj ca (-)) is negligible for any adversary A whose time complexity is poly- 
nomial in k. | 

The “time complexity” is the worst case total execution time of the experiment, plus the 
size of the code of the adversary, in some fixed RAM model of computation. We stress 
that the the total execution time of the experiment includes the time of all operations in 
the experiment, including the time for key generation and the computation of answers to 
oracle queries. Thus, when the time complexity is polynomially bounded, so are all the 
other parameters. This convention for measuring time complexity and other resources 
of an adversary is used for all definitions in this paper. The advantage function is the 
maximum probability that the security of the scheme S£ can be compromised by an 
adversary using the indicated resources, and is used for concrete security analyses. 

We will not use definitions of non-malleability as per [10,3] but instead use the 
equivalent indistinguishability under parallel chosen-ciphertext attack characterization 
of [7]. This facilitates our proofs and analyses and also facilitates concrete security 
measurements. The notation 'Dk(-) denotes the algorithm which takes input a vector 
c =t (ci, . . . ,c n ) of ciphertexts and returns the corresponding vector p = (V K (ci ), . . . , 
'£ > K{c n )) of plaintexts. 

Definition 2. (Non-Malleability of a Symmetric Encryption Scheme [7]) Let S£ = 

(1C, £, V) be a symmetric encryption scheme. Let b £ {0, 1} and k £ N. Let A cpa = 
(A cpai , A cpa2 ) be an adversary that has access to the oracle £k(£R,(-, •, b)) and let 
A cca = (A ccai , A cca2 ) be an adversary that has access to the oracles £k{CCR-(-, •, b)) 
and T>k(-)- Now, we consider the following experiments: 

Experiment Exp^™"^ pa " 6 (fc) Experiment Exp5™"^ ca " f ’(A:) 

K 4 lC(k) P K 4 K(k) 

(c,s) <- Af^[ CK< - ’ ’ b) \k) ( c,s ) <- /lf5; i (CR( '" J ' )) 7 ' ,K( ' ) (k) 

p^T> K (c) P ^T>k(c) 

x <- A cp&2 (p, c,s ) x <— A cca . 2 (p, c, s) 


Reti 
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Above it is mandated that the vector c output by A cpai does not contain any of the 
ciphertexts output by the £k(£K(-, -,b)) oracle, and that the pairs of messages queried 
of £k{£H{-, •, b)) are always of equal length. We define the advantages of the adver- 
saries via 

r Ex P ™-°(fc) = l] 

Ex PS£,T c ^°( fc ) = 1 J ' 

We define the advantage functions of the scheme as follows. For any integers t, q e , q c i, l-i, 
Adv , ^' cpa '(k,t,q e , fi) = max{Adv^™"^ pa (fc)} 

Ad Vg I f' cca ’(k,t,q e ,q ( i, n) = max{Adv£™"^ ca (A;)} 


Adv™ a (fc)=Pr 

exp ^x;; 1 ^)-! - 

-Pr 

Adv l“,l^(fc) = Pr 

Exp^T^'^fc) = 1 ] 

-Pr 


where the maximum is over all A cpa , A cca with time complexity t, each making at 
most q e queries to the £k{£ 7£(-, •, b)) oracle, totaling at most /.i bits, and, in the case 
of A cca , also making at most qd queries to the "D /<• ( ■ ) oracle. The scheme S£ is said 
to be NM-CPA secure (resp. NM-CCA secure) if the function Adv^™"^ pa (-) (resp. 
Adv5™"^ ca (-)) is negligible for any adversary A whose time complexity is polynomial 
in k. | 


Integrity. Now we specify security definitions for integrity (authenticity) of a sym- 
metric encryption scheme S£ = (1C. £. V). It is convenient to define an algorithm 
T>* K f) as follows: If D K {C) f _L, then return 1 Else return 0. We call this the ver- 
ification algorithm or verification oracle. The adversary is allowed a chosen-message 
attack on the scheme, modeled by giving it access to an encryption oracle £k(). It is 
successful if it makes the verification oracle accept a ciphertext that was not “legiti- 
mately produced.” Different interpretations of the latter give rise to different notions. 

Definition 3. (Integrity of an Authenticated Encryption Scheme) Let S£ = 

(K, £, V) be a symmetric encryption scheme. Let k g N, and let A ptxt and A ctx t be 
adversaries each of which has access to two oracles: £k(-) and V* K (-). Consider these 
experiments. 


Experiment Exp^T^ txt (fc) 

K 4 /C(jfe) 

If Ap^ T>k ^ (fc) makes a query C to 
the oracle V* K f) such that 

- D* k (C) returns 1, and 

- M d = T>k(C) was never a query to £k(-) 
then return 1 else return 0. 


Experiment Exp 5 |"^ xt xt ( k ) 

K 4 JC(h) 

If A £ J£ ), ' D * k( ' ) (k) makes a query C to 
the oracle !>](•(•) suc h that 

- V* K (C) returns 1, and 

- C was never a response of £k (•) 
then return 1 else return 0. 


We define the advantages of the adversaries via 

Adv« (i = Pr [Exp“^(fc) = l] 

= Pr [ ExPs^S^ctPi = 1 ] 
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We define the advantage functions of the scheme as follows. For any integers t, q e , q d , /.x, 

Ad^£ ptxt (k,t,q e ,q d ,ff) = max {Ad (k)} 

Adv^' ctxt (fc, t, q e , q d , /x) = maxjAdv^^ ( k )} 

where the maximum is over all A ptxt , A ctx t with time complexity t, each making at 
most q e queries to the oracle £k(:) and at most q d queries to *>*(■) such that the sum of 
the lengths of all oracle queries is at most /./, bits. The scheme S£ is said to be INT-PTXT 
secure (resp. INT-CTXT secure ) if the function Adv^{^ txt (-) (resp. Adv^C( txt (-)) is 
negligible for any adversary A whose time complexity is polynomial in k. | 

Message authentication schemes. A message authentication scheme MA = 
(1C, T, V) consists of three algorithms. The randomized key generation algorithm 1C 
takes input a security parameter k £ N and returns a key K; we write K <— K(k). 
The tagging algorithm T could be either randomized or stateful. It takes the key K 
and a message M to return a tag a; we write a <— Tk(M). The verification algorithm 
V is deterministic. It takes the key K, a message M, and a candidate tag cr for M 
to return a bit v ; we write v <— Vk(M,o). We require that Vk(M,T k (M)) = 1 
for all M G {0, 1}*. The scheme is said to be deterministic if the tagging algorithm 
is deterministic and verification is done via tag re-computation. We sometimes call a 
message authentication scheme a MAC, and also sometimes call the tag cr a MAC. 

Security for message authentication considers an adversary F who is allowed a 
chosen-message attack, modeled by allowing it access to an oracle for T K (-). F is “suc- 
cessful” if it can make the verifying oracle Vk (•, •) accept a pair (M, cr) that was not 
“legitimately produced.” There are two possible conventions with regard to what “legit- 
imately produced” can mean, leading to two measures of advantage. In the following 
definition, we use the acronyms WUF-CMA and SUF-CMA respectively for weak and 
strong unforgeability against chosen-message attacks. 

Definition 4. (Message Authentication Scheme Security) Let MA = (1C, T, V) be a 

message authentication scheme. Let k £ N, and let F w and F s be adversaries that have 
access to two oracles: Tk (- ) and Vk(:, •)• Consider the following experiment: 

Experiment Exp^j'^"^ ma (A;) Experiment Exp^ ( f _^ < ^ la (fc) 

K 4 /C(jfe) ’ K 4 K.(k) 

\rrZ K( ) VK{ ) (k) makes a query (M,a) If fT k ' { ) ’ VK< - ’ ) (k) makes a query (M,o) 

to the oracle Vk ( • , • ) such that to the oracle Vk ( • , • ) such that 

- Vk (M,cr) returns 1 , and - Vk ( M , cr) returns 1 , and 

- M was never queried to - o was never returned by the 

the oracle T K (• ) , oracle T K ( • ) in response to query M, 

then return 1 else return 0. then return 1 else return 0. 

We define the advantages of the forgers via 

Adv^^ c j^ a (fc) = Pr Exp^^r™ a (&;) = 1 1 
Adv^ f ^ c ™ a (A:) = Pr Exp^ f ^^ a (fc) = 1 1 
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We define the advantage functions of the scheme as follows. For any integers t,q t ,q v ,p, 

Adv^ 4 cma (fc, t, q t , q v , /f) = naax{Adv^^ c ^ a (fc)} 

Adv^ I f 4 ma (fc, t, q t , q v , if) = n^{Adv^£™ a (A;)} 

where the maximum is over all F w , F s with time complexity t, making at most q t oracle 
queries to Tj< ( ■ ) and at most q v oracle queries to W(-, •) such that the sum of the 
lengths of all oracle queries is at most p bits. The scheme M.A is said to be WUF-CMA 
secure (resp. SUF-CMA secure) if the function Adv'^™ a (-) (resp. Adv^£™ a (-)) 
is negligible for any forger F whose time complexity is polynomial in k. | 

3 Relations among Notions 

In this section, we state the formal versions of the results summarized in Figure 1. We 
begin with the implications and then move to the separations. All proofs are in the full 
version of this paper [5], The first implication, below, is a triviality: 

Theorem 1. (INT-CTXT -> INT-PTXT) Let S£ be an encryption scheme. If S£ is 
INT-CTXT secure, then it is INT-PTXT secure as well. Concretely: 

Ad w l gl'^{k,t,q e ,q d ,p) < Ad Vs^ ctxt (k,t,q e ,q d , p) . I 

The next implication is more interesting: 

Theorem 2. ( INT-CTXT A IND-CPA — > IND-CCA) Let S£ be an encryption scheme. 
IfS£ is INT-CTXT secure and IND-CPA secure, then it is IND-CCA secure. Concretely: 

Ad V 5 £' cca (fc, t, q e ,qd, p) <2- Advs|' ctxt (fc, t, q e ,qd, p) + Adv^" opa (fc, t, q e , p) . | 

Next we have the formal statements of the separation results. 

Proposition 1. ( IND-CCA /A INT-PTXT) Given a symmetric encryption scheme S£ 
which is IND-CCA secure, we can construct a symmetric encryption scheme S£' which 
is also IND-CCA secure but is not INT-PTXT secure. | 


Proposition 2. ( INT-PTXT A IND-CPA /A NM-CPA) Given a symmetric encryption 
scheme S£ which is both INT-PTXT secure and IND-CPA secure, we can construct a 
symmetric encryption scheme S£ which is also both INT-PTXT secure and IND-CPA 
secure but is not NM-CPA secure. | 

4 Security of the Composite Schemes 

We now present the formal security results for the composite schemes as summarized 
in Figure 3. The proofs can be found in the full version of this paper [5], Proofs for the 
results of Figure 2 are omitted. 

Throughout this section, S£ = (/C e , £, D) is a given symmetric encryption scheme 
which is IND-CPA secure, M.A = V) is a given message authentication 
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scheme which is SUF-CMA secure, and S£ = (K, £, V) is a composite scheme ac- 
cording to one of the three methods we are considering. The presentation below is 
method by method, and in each case we begin by specifying the method in more detail. 

We make the simplifying assumption that V never returns _L. It can take any string 
as input, and the output is always some string. (This is without loss of generality because 
we can modify V so that instead of returning _L it just returns some default message. 
Security under chosen-plaintext attack is unaffected.) However, V can and will return 
_L at times, and this is crucial for integrity. 

Encrypt- and-MAC Plaintext. The composite scheme is defined as follows: 


Algorithm K,(k) 
K e ^K. e (k) 

Km IC m (k) 
Return (K e , K m ) 


Algorithm £ {K e ,K m ){M) 

<?«-£*-„ (A/) 

C~C\\t 
Return C 


Algorithm £ > (K e ,K m ){C) 
ParseC as C'\\t 
M <— T>K e {C') 

If v = 1, return M 
else return _L. 


This composition method does not preserve privacy because the MAC could reveal 
information about the plaintext. 


Proposition 3. (Encrypt-and-MAC plaintext method is not IND-CPA secure) Given 
a IND-CPA secure symmetric encryption scheme S£ and a SUF-CMA secure mes- 
sage authentication scheme MA, we can construct a message authentication scheme 
MA such that MA is SUF-CMA secure, but the composite scheme S£ formed by 
the encrypt-and-MAC plaintext composition method based on S£ and MA! is not 
IND-CPA secure. | 


Since both IND-CCA and NM-CPA imply IND-CPA, this means that this composition 
method is also neither IND-CCA nor NM-CPA secure. 

The encrypt-and-MAC plaintext composition method, however, inherits the in- 
tegrity of the MAC in a direct way: 


Theorem 3. (Encrypt-and-MAC plaintext method is INT-PTXT secure) Let S£ be a 

symmetric encryption scheme, let MA be a message authentication scheme, and let 
S£ be the encryption scheme obtained from S£ and MA via the encrypt-and-MAC 
plaintext composition method. Then, ifMA is SUF-CMA secure, then S£ is INT-PTXT 
secure. Concretely: 

Ad v ^" PtXt (M>9e,gd,M) < Ad V^ cma (fc,t,g e ,g d ,/i) . | 

However, this composition method fails in general to provide integrity of ciphertexts. 
This is because there are secure encryption schemes with the property that a ciphertext 
can be modified without changing its decryption. When such an encryption scheme is 
used as the base symmetric encryption scheme, an adversary can query the encryption 
oracle, modify part of the response, and still submit the result to the verification oracle 
as a valid ciphertext. The following proposition states this result. 


Proposition 4. (Encrypt-and-MAC plaintext method is not INT-CTXT secure) Given 
a IND-CPA secure symmetric encryption scheme S£ and a SUF-CMA secure message 
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authentication scheme AAA, we can construct a symmetric encryption scheme S£ such 
that S£ is IND-CPA secure, but the composite scheme S£ formed by the encrypt-and- 
MAC plaintext composition method based on S£' and AAA is not INT-CTXT secure. | 


MAC-then-Encrypt. The composite scheme is defined as follows: 


Algorithm K,(k) 

K e 4 /C e (fc) 

K m £ /Cm(k) 
Return (K e ,K m ) 


Algorithm £ < Ke K m )(M) 
r^T Km (M) 
C^SkAM ||r) 
Return C 


Algorithm 'D{K e ,K m ){C) 
M'^V Ke (C) 

Parse M' as M ||r 
v^V Km (M,T) 

If V — 1 , return M 


else return _L. 


The MAC-then-encrypt composition method preserves both privacy against chosen- 
plaintext attack and integrity of plaintexts, as stated in the following theorem. 

Theorem 4. (MAC-then-encrypt method is both INT-PTXT and IND-CPA secure) 

Let AAA be a message authentication scheme, and let S£ be a symmetric encryption 
scheme secure against chosen-plaintext attacks. Let S£ be the encryption scheme ob- 
tained from S£ and AAA via the MAC-then-encrypt composition method. Then, if AAA 
is SUF-CMA secure, then S£ is INT-PTXT secure. Furthermore, if S£ is IND-CPA se- 
cure, then so is S£. Concretely: 

Adv ^" ptxt (fc, t % , q e , q d ,p t ) < Adv s jtf^ ma (k,ti,qe,qd,Fi) 
Adv 1 A^' cpa -(k,tp,q,Fp) < Adv^' cpa (fc, t p , q, p p ) . I 

However, the base encryption scheme might be malleable, and this will be inherited by 
the composite scheme. 

Proposition 5. (MAC-then-encrypt method is not NM-CPA secure) Given a IND-CPA 
secure symmetric encryption scheme S£ and a SUF-CMA secure message authentica- 
tion scheme AAA, we can construct a symmetric encryption scheme S£ such that S£ 
is IND-CPA secure, but the composite scheme S£ formed by the MAC-then-encrypt 
composition method based on S£' and AAA is not NM-CPA secure. | 


Since IND-CCA implies NM-CPA, this composition method is also not IND-CCA se- 
cure. Furthermore, the fact that it is IND-CPA secure but not NM-CPA secure implies 
that it is not INT-CTXT secure. 

Encrypt-then-MAC. The composite scheme is defined as follows: 


Algorithm K(k) 
K e ^K. e (k) 

Km £ K,m(k) 

Return (K e , K m ) 


Algorithm £( Ke ,K m )(M) 
G' <— £k c (M) 
r'^T Km (C') 
C^C'\\r' 

Return C 


Algorithm T>( KetKnl ) (C) 
Parse C as C' 1 1 t' 

M^V Ke (C) 

V^VK m (C',T') 

If v = 1, return M 
else return _L. 


The following theorem implies that the encrypt-then-MAC composition method is 
IND-CPA, IND-CCA, NM-CPA, INT-PTXT and INT-CTXT secure. 
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Theorem 5. (Encrypt-then-MAC method is INT-CTXT, IND-CPA, and IND-CCA se- 
cure) Let S£ be a symmetric encryption scheme, and let A4A be a message authenti- 
cation scheme. Let S£ be the authenticated encryption scheme obtained from S£ and 
MA via the encrypt-then-MAC composition method. Then, if M.A is SUF-CMA se- 
cure, then S£ is INT-CTXT secure. If S£ is IND-CPA secure, then so is S£. And if we 
have both of the previous conditions, then S£ is IND-CCA secure. Concretely: 

Adv ^ rCtXt (fc,f2,g2,g2>M2) < Adv^ ma (M2, 92,92* M2) 
A d v ^" Cpa (M 3 ,9 3 ,M 3 ) < AdVs|' cpa (M 3 ,93,M 3 ) 

and 


Adv ir’° Ca ( fc ’ t 4,94,94,M4) < 

2 • Adv^ cma (fc, t 4 , 94, 94, tu) + Adv“|' cpa (A:, U, 94, jtt 4 ) ■ I 
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Abstract. Rather than use a shared key directly to cryptographically 
process (e.g. encrypt or authenticate) data one can use it as a master key 
to derive subkeys, and use the subkeys for the actual cryptographic pro- 
cessing. This popular paradigm is called re-keying, and the expectation 
is that it is good for security. In this paper we provide concrete security 
analyses of various re-keying mechanisms and their usage. We show that 
re-keying does indeed “increase” security, effectively extending the life- 
time of the master key and bringing significant, provable security gains 
in practical situations. We quantify the security provided by different re- 
keying processes as a function of the security of the primitives they use, 
thereby enabling a user to choose between different re-keying processes 
given the constraints of some application. 


1 Introduction 

Re-keying (also called key-derivation) is a commonly employed paradigm in com- 
puter security systems, about whose security benefits users appear to have vari- 
ous expectations. Yet the security of these methods has not been systematically 
investigated. Let us begin with some examples that illustrate usage, commonly 
employed implementations, and motivation for re-keying, and see what security 
issues are raised. We then go on to our results. 

Re-keyed encryption. Say two parties share a key K, and want to encrypt 
data they send to each other. They will use some block cipher based mode of 
operation, say CBC. The straightforward approach is to use K directly to encrypt 
the data. An often employed alternative is re-keyed encryption. The key K is not 
used to encrypt data but rather viewed as a master key. Subkeys K±, K 2 , K 3 , . . . 
are derived from K, by some process called the re-keying process. A certain 
number l of messages are encrypted using Ki and then the parties switch to K 2 . 
Once l messages have been encrypted under K 2 they switch to K :i and so on. 
Examples of re- keying methods. Many different re-keying methods are pos- 
sible. Let us outline two of them. In each case F(-, •) is a map that takes a fc-bit 
key k and fc-bit input a; to a A'-bit output F(k, x). (This might be implemented 
via a block cipher or a keyed hash function.) The parallel method consists of 
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setting Ki = F(K. i) for i = 1,2, . . .. The serial method sets ko = K and then 
sets Ki = F[ki- 1,0) and ki = F(fcj_i, 1) for i = 1,2,.. .. Many other methods 
are possible, including hybrids of these two such as tree-based re-keying [1], 

Why re-key? Common attacks base their success on the ability to get lots of 
encryptions under a single key. For example differential or linear cryptanalysis 
[10,17] will recover a DES key once a certain threshold number of encryptions 
have been performed using it. Furthermore, most modes of operation are sub- 
ject to birthday attacks [3], leading to compromise of the privacy of a scheme 
based on a block cipher with block size k once 2 fc / 2 encryptions are performed 
under the same key. Typically, the birthday threshold is lower than that of the 
cryptanalytic attacks. 

Thus, if encryption is performed under a single key, there is a certain max- 
imum threshold number of messages that can be safely encrypted. Re-keying 
protects against attacks such as the above by changing the key before the thresh- 
old number of encryptions permitting the attack is reached. It thus effectively 
extends the lifetime of the (master) key, increasing the threshold number of 
encryptions that can be performed without requiring a new exchange of keys. 

Questions. Although re-keying is common practice, its security has not been 
systematically investigated. We are interested in the following kinds of questions. 
Does re-keying really work, in the sense that there is some provable increase in 
security of an application like re-keyed encryption described above? That is, 
can one prove that the encryption threshold — number of messages of some 
fixed length that can be safely encrypted — increases with re-keying? How do 
different re-keying processes compare in terms of security benefits? Do some offer 
more security than others? How frequently should the key be changed, meaning 
how should one choose the parameter l given the parameters of a cryptographic 
system? 

High level answers. At the highest level, our answer to the most basic ques- 
tion (does re-keying increase security?) is “YES.” We are able to justify the pre- 
vailing intuition with concrete security analyses in the provable security frame- 
work and show that re-keying, properly done, brings significant security gains in 
practical situations, including an increase in the encryption threshold. Seen from 
closer up, our results give more precise and usable information. We quantify the 
security provided by different re-keying processes as a function of the security of 
the primitives they use. This enables comparison between these processes. Thus, 
say a user wants to encrypt a certain amount of data with a block cipher of a 
certain strength: our results can enable this user to figure out which re-keying 
scheme to use, with what parameters, and what security expectations. 

Re-keyed CBC encryption. As a sample of our results we discuss CBC en- 
cryption. Suppose we CBC encrypt with a block cipher F having key-length 
and block-length k. Let’s define the encryption threshold as the number Q of 
fe-bit messages that can be safely encrypted. We know from [3] that this value is 
Q ~ 2 k / 2 for the single-key scheme. We now consider re-keyed CBC encryption 
under the parallel or serial re-keying methods discussed above where we use the 
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same block cipher F as the re-keying function. We show that by re-keying every 
2 fe / 3 encryptions — i.e. set the subkey lifetime l = 2 ft / 3 — the encryption thresh- 
old increases to Q « 2 2fc / 3 . That is, one can safely encrypt significantly more 
data by using re-keying. The analysis can be found in Section 3. 

Overview of approach and results. Re-keying can be used in conjunction 
with any shared-key based cryptographic data processing. This might be data 
encryption, under any of the common modes of operation; it might be data au- 
thentication using some MAC; it might be something else. We wish to provide 
tools that enable the analysis of any of these situations. So rather than analyze 
each re-keyed application independently, we take a modular approach. We iso- 
late the re-keying process, which is responsible for producing subkeys based on 
a master key, from the application which uses the subkeys. We then seek a gen- 
eral security attribute of the re-keying process which, if present, would enable 
one to analyze the security of any re-keying based application. We suggest that 
this attribute is pseudorandomness. We view the re-keying process as a stateful 
pseudorandom bit generator and adopt a standard notion of security for pseu- 
dorandom bit generators [11,18]. We measure pseudorandomness quantitatively, 
associating to any re-keying process (stateful generator) Q an advantage func- 
tion Adv^®(t), which is the maximum probability of being able to distinguish n 
output blocks of the generator from a random string of the same length when the 
distinguishing adversary has running time at most t. We then analyze the paral- 
lel and serial generators, upper bounding their advantage functions in terms of 
an advantage function associated to the underlying primitive F. See Section 2. 

To illustrate an application, we then consider re-keyed symmetric encryption. 
We associate a re-keyed encryption scheme to any base symmetric encryption 
scheme (e.g. CBC) and any generator. We show how the advantage function 
of the re-keyed encryption scheme can be bounded in terms of the advantage 
function of the base scheme and the advantage function of the generator. (The 
advantage function of an encryption scheme, whether the base or re-keyed one, 
measures the breaking probability as a function of adversary resources under 
the notion of left-or-right security of [3].) Coupling our results about the parallel 
and serial generators with known analyses of CBC encryption [3] enables us to 
derive conclusions about the encryption threshold for CBC as discussed above. 
See Section 3. 

Security of the parallel and serial generators. Our analysis of the 
parallel and serial generators as given by Theorems 1 and 2 indicates that their 
advantage functions depend differently on the advantage function of the under- 
lying primitive F. (We model the latter as a pseudorandom function [13] and 
associate an advantage function as per [5].) In general, the parallel generator 
provides better security. This is true already when F is a block cipher but even 
more strikingly the case when F is a non-invertible PRF. This should be kept 
in mind when choosing between the generators for re-keying. However, whether 
or not it eventually helps depends also on the application. For example, with 
CBC encryption, there is no particular difference in the quantitative security 
providing by parallel and serial re-keying (even though both provide gains over 
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the single-key scheme). This is due to the shape of the curve of the advantage 
function of the base CBC encryption function as explained in Section 3. 
Forward security. Another possible motivation for re-keying is to provide 
forward security. The goal here is to minimize the amount of damage that might 
be caused by key exposure due, for instance, to compromise of the security of the 
underlying system storing the secret key. (Forward security was first considered 
for session keys [15,12] and then for digital signatures [7].) Under re-keying, 
the adversary would only get the current subkey and state of the system. It 
could certainly figure out all future subkeys, but what about past ones? If the 
re-keying process is appropriately designed, it can have forward security: the 
past subkeys will remain computationally infeasible for the adversary to derive 
even given the current subkey and state, and thus ciphertexts that were formed 
under them will not be compromised. It is easy to see that the parallel generator 
does not provide forward security. It can be shown however that the serial one 
does. A treatment of forward security in the symmetric setting, including a proof 
of the forward security of the serial generator and the corresponding re-keyed 
encryption scheme, can be found in [9] . 

Related work. Another approach to increasing the encryption threshold, dis- 
cussed in [6], is to use a mode of encryption not subject to birthday attack 
(e.g. CTR rather than CBC) and implement this using a non-invertible, high se- 
curity PRF rather than a block cipher. Constructions of appropriate PRFs have 
been provided in [6,16]. Re-keying is cheaper in that one can use the given block 
cipher and a standard mode like CBC and still push the encryption threshold 
well beyond the birthday threshold. 

Re-keying requires that parties maintain state. Stateless methods of increas- 
ing security beyond the birthday bound are discussed in [4]. 

2 Re-keying Processes as Pseudorandom Generators 

The subkeys derived by a re-keying process may be used in many different ways: 
data encryption or authentication are some but not all of these. To enable mod- 
ular analysis, we separate the subkey generation from the application that uses 
the subkeys. We view the re-keying process — which generates the subkeys — as 
a stateful pseudorandom bit generator. In this section we provide quantitative 
assessments of the security of various re-keying schemes with regard to notions of 
security for pseudorandom generators. These application independent results are 
used in later sections to assess the security of a variety of different applications 
under re-keying. 

Stateful generators. A stateful generator Q = (1C, Af) is a pair of algorithms. 
The probabilistic key generation algorithm 1C produces the initial state, or seed, 
of the generator. The deterministic next step algorithm A f takes the current state 
as input and returns a block, viewed as the output of this stage, and an updated 
state, to be stored and used in the next invocation. A sequence Out\, Out- 2 , ■ ■ ■ 
of pseudorandom blocks is defined by first picking an initial seed Sto <— 1C and 
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then iterating: ( Outi , Sti) <— Af(Sti-i) for i > 1. (When the generator is used for 
re-keying, these are the subkeys. Thus Outi was denoted K t in Section 1). We 
assume all output blocks are of the same length and call this the block length. 

We now specify two particular generators, the parallel and serial ones. We fix 
a PRF F: {0, l} fc x {0, l} k — * {0, 1 } k . (As the notation indicates, we are making 
the simplifying assumption that the key length, as well as the input and output 
lengths of each individual function F(F, •) are all equal to k.) In practice, this 
might be instantiated via a block cipher or via a keyed hash function such as 
HMAC [2]. (For example, if DES is used, then we set k = 64 and define F(F, •) 
to be DES(F[1..56], •).) 


Construction 1. (Parallel generator) The F-based parallel generator 
VQ[F\ = is defined by 


Algorithm K 

K^{ 0,l} fc 
Return (0, F) 


Algorithm A f((i, K )) 
Out <- F(F, i) 

Return (Out, (i + l,K)) 


The state has the form (i,K) where K is the initial seed and i is a counter, 
initially zero. In the i-th stage, the output block is obtained by applying the F- 
keyed PRF to the (fc-bit binary representation of the integer) i, and the counter 
is updated. This generator has block length k. | 


Construction 2. (Serial generator) The F-based serial generator SQ[F] = 
(K,,U) is defined by 


Algorithm 1C 

K^{ o,i} fc 

Return K 


Algorithm M(K) 
Out <— F(K, 0) 

K <- F(K, 1) 
Return ( Out,K ) 


The state is a key K. In the i-th stage, the output block is obtained by applying 
the F-keyed PRF to the ( fc-bit binary representation of the integer) 0, and the 
new state is a key generated by applying the F-keyed PRF to the ( fc-bit binary 
representation of the integer) 1. This generator has block length k. I 


Pseudorandomness. The standard desired attribute of a (stateful) generator is 
pseudorandomness of the output sequence. We adopt the notion of [11,18] which 
formalizes this by asking that the output of the generator on a random seed 
be computationally indistinguishable from a random string of the same length. 
Below, we concretize this notion by associating to any generator an advantage 
function which measures the probability that an adversary can detect a devia- 
tion in pseudorandomness as a function of the amount of time invested by the 
adversary. 

Definition 1. (Pseudorandomness of a stateful generator) Let Q = 

(/C, AT) be a stateful generator with block length k, let n be an integer, and 
let A be an adversary. Consider the experiments 
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Experiment ExpJj r ®~ real (A) 

for * = 1, . . . , n do 

( Outi , Sti) <— 1 ) ; s <— s || Out 

9 - A(s) 

return g 

Now define the advantage of A and the advantage function of the generator, 
respectively, as follows: 

Adv^(4 = Pr[ExpPJ real (A) = 1] - Pr[ExpPJ rand (A) = 1] 

Adv^s(f) = max { Adv^(A) } , 
where the maximum is over all A with “time-complexity” t. | 

Here “time-complexity” is the maximum of the execution times of the two ex- 
periments plus the size of the code for A, all in some fixed RAM model of 
computation. (Note that the execution time refers to that of the entire experi- 
ment, not just the execution time of the adversary.) The advantage function is 
the maximum likelihood of the security of the pseudorandom generator Q being 
compromised by an adversary using the indicated resources. 

Security measure for PRFs. Since the security of the above constructions 
depends on that of the underlying PRF F: {0, l} fe x {0, l} fc — > {0, l} fc , we recall 
the measure of [5], based on the notion of [13]. Let R k denote the family of all 
functions mapping {0, l} fc to {0, l} fc , under the uniform distribution. If D is a 
distinguisher having an oracle, then 

AdvP rf (T>) = Pr[£> F ^’-) = l : K {(), l} fe [] — Pr[ = 1 : / 4- R k ] 
is the advantage of D. The advantage function of F is 

Adv^ rf (f, q) = max { Adv^ rf (D) } , 

where the maximum is over all A with “time-complexity” t and making at most 
q oracle queries. The time-complexity is the execution time of the experiment 
K {0, l} fc ; v <— D F{ ~ K A plus the size of the code of D, and, in particular, 
includes the time to compute Fk(-) and reply to oracle queries of D. 
Pseudorandomness of the parallel and serial generators. The fol- 
lowing theorems, whose proofs can be found in Appendices A and B, show how 
the pseudorandomness of the two generators is related to the security of the 
underlying PRF. 

Theorem 1. Let F : {0, l} k x {0, l} fc — > {0, \} k be a PRF and let VQ[F] be the 
F -based parallel generator defined in Construction 1. Then 
Adv Pe[r : «(0 ^ AdvP rf (t,n) I 


Experiment ExpJT®’ rand (A) 
s <— { 0 , l} n k 
9 A(s) 

return g 
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Theorem 2. Let F: {0, l} fe x {0, l} k -► {0, l} k be a PRF and let SG[F\ be the 
F -based parallel generator defined in Construction 2. Then 

Adv 5aWW < n • + l°g«, 2) . I 

The qualitative interpretation of the two theorems is the same: both the parallel 
and the serial generator are secure pseudorandom bit generators if the PRF is 
secure. The quantitative statements show however that the pseudorandomness 
of n output blocks depends differently on the security of the PRF in the two 
cases. For the parallel generator, it depends on the security of the PRF under n 
queries. For the serial generator, it depends on the security of the PRF against 
only a constant number of queries, but this term is multiplied by the number 
of output blocks. Comparing the functions on the right hand side in the two 
theorems will tell us which generator is more secure. 

Examples. As an example, assume F is a block cipher. Since F is a cipher, each 
map F(K, •) is a permutation, and birthday attacks can be used to distinguish 
F from the family of random functions with a success rate growing as q 2 / 2 k for 
q queries (c.f.. [5, Proposition 2.4]). Let us make the (heuristic) assumption that 
this is roughly the best possible, meaning 

Ad (1) 

for t small enough to prevent cryptanalytic attacks. Now the above tells us that 
the advantage functions of the two generators grow as follows: 

^ “d Ad | - 

Since t> n, the two functions are roughly comparable, but in fact the first one 
has a somewhat slower growth because we would expect that t » n. So, in this 
case, the parallel generator is somewhat better. 

Now assume F is not a block cipher but something that better approximates 
a random function, having security beyond the birthday bound. Ideally, we would 
like something like 

Ad <M)«^ (2) 

for t small enough to prevent cryptanalytic attacks. This might be achieved by 
using a keyed hash function based construction, or by using PRFs constructed 
from block ciphers as per [6,16]. In this case we would get 

AdvJp|[ F ] n (f) w 2fc and Adv^^^t) ~ ■ 

Thinking of t w n (it cannot be less but could be more, so this is an optimistic 
choice), we see that the first function has linear growth and the second has 
quadratic growth, meaning the parallel generator again offers better security, 
but this time in a more decisive way. 

These examples illustrate how the quantitative results of the theorems can be 
coupled with cryptanalytic knowledge or assumptions about the starting primi- 
tive F to yield information enabling a user to choose between the generators. 
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3 Re-keyed Symmetric Encryption 

We fix a base encryption scheme. (For example, CBC mode encryption based 
on some block cipher.) We wish to encrypt data using this scheme, but with 
re-keying. Two things need to be decided. The first is how the re-keying is to be 
done, meaning how the subkeys will be computed. This corresponds to making 
a choice of stateful generator to generate the subkey sequence. The second is 
the lifetime of each subkey, meaning how many encryptions will be done with 
it. This corresponds to choosing an integer parameter l > 0 which we call the 
subkey lifetime. Associated to a base scheme, generator and subkey lifetime, is 
a particular re-keyed, encryption scheme. We are interested in comparing the 
security of the re-keyed encryption scheme across different choices of re-keying 
processes (i.e. generators), keeping the base scheme and subkey lifetime fixed. 
In particular, we want to compare the use of the parallel and serial generators. 

Our analysis takes a modular approach. Rather than analyzing separately the 
re-keyed encryption schemes corresponding to different choices of generators, we 
first analyze the security of a re-keyed encryption scheme with an arbitrary 
generator, showing how the advantage of the encryption scheme can be bounded 
in terms of that of the generator and the base scheme. We then build on results 
of Section 2 to get results for re-keyed encryption with specific generators. We 
begin by specifying in more detail the re-keyed encryption scheme and saying 
how we measure security of symmetric encryption schemes. 

Re-keyed encryption schemes. Let S£ = (K. e ,£, T>) be the base (symmetric) 
encryption scheme, specified by its key generation, encryption and decryption 
algorithms [3]. Let Q = (JC g ,Af) be a stateful generator with block size k, where 
k is the length of the key of the base scheme. Let l > 0 be a subkey lifetime 
parameter. We associate to them a re-keyed encryption scheme S£[S£,G,l\ = 
(1C, £, D). This is a stateful encryption scheme which works as follows. The initial 
state of the encryption scheme includes the initial state of the generator, given 
by Sto lC g . Encryption is divided into stages i = 1,2, — Stage i begins with 
the generation of a new key Lf* using the generator: ( Ki,Sti ) <— N'(St i -i). In 
stage i encryption is done using the encryption algorithm of the base scheme 
with key K, . An encryption counter is maintained, and when l encryptions have 
been performed, this stage ends. The encryption counter is then reset, the stage 
counter is incremented, and the key for the next stage is generated. If the base 
scheme is stateful, its state is reset whenever the key changes. 

Formally, the key generation algorithm 1C of the re-keyed scheme is run once, 
at the beginning, to produce an initial state which is shared between sender and 
receiver and includes Sto- The encryption algorithm £ takes the current state 
(which includes K , , Stj, a stage counter, the encryption counter, and a state for 
the base scheme if the latter happens to be stateful) and the message M to be 
encrypted, and returns ciphertext C <— £k, (M). It also returns an updated state 
which is stored locally. It is advisable to include with the ciphertext the number 
i of the current stage, so that the receiver can maintain decryption capability 
even if messages are lost in transit. The T> algorithm run by the receiver can 
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be stateless in this case. (This is true as long as the goal is privacy against 
chosen-plaintext attacks as we consider here, but if active attacks are considered, 
meaning we want privacy against chosen-ciphertext attacks or authenticity, the 
receiver will have to maintain state as well.) 

Security measures for encryption schemes. Several (polynomial-time 
equivalent) definitions for security of a symmetric encryption scheme under 
chosen-plaintext attack were given in [3] . We use one of them, called left-or-right 
security. The game begins with a random bit b being chosen. The adversary then 
gets access to an oracle which can take as input any two equal-length messages 
(a-'o, X\) and responds with a ciphertext formed by encrypting Xf,. The adversary 
wins if it can eventually guess b correctly. We can associate to any adversary an 
advantage measuring the probability it wins. We then associate to the base en- 
cryption scheme — respectively, the re-keyed encryption scheme — an advantage 
function Adv“J?’ cpa (t, q, to) — respectively Advdhl' cpa (t, q, rn) — which measures 
the maximum probability of the scheme being compromised by an adversary 
running in time t and allowed q oracle queries each consisting of a pair of m-bit 
messages. Intuitively, this captures security against a chosen-plaintext attack of q 
messages. (The usual convention [3] is to allow messages of different lengths and 
count the sum of the lengths of all messages but for simplicity we ask here that 
all messages have the same length. Note that for the base encryption scheme, 
all encryption is done using a single, random key. For the re-keyed scheme, it is 
done as the scheme specifies, meaning with the key changing every l encryptions. 
We omit details here, but precise definitions with this type of notation can be 
found for example in [8].) 

Security of re-keyed encryption. The qualitative interpretation of the 
following theorem is that if the generator and base encryption scheme are secure 
then so is the re-keyed encryption scheme. It is the quantitative implications 
however on which we focus. The theorem says that the security of encrypting In 
messages with the re-keyed scheme relates to the pseudorandomness of n blocks 
of the generator output and the security of encrypting l messages under the base 
scheme with a single random key. The Adv^?’ cpa (f, l, to) term is multiplied by 
n, yet there is a clear gain, in that the security of the base encryption scheme 
relates to encrypting only l messages. The proof of Theorem 3 can be found in 
the full version of this paper [1] . 

Theorem 3. (Security of re-keyed encryption) LetSS be a base encryption 
scheme with key size k, let Q be a stateful generator with blocksize k, and let l > 0 
be a subkey lifetime. LetSS = SS[SS,Q,l] be the associated re-keyed encryption 
scheme. Then 

Ad v^' cpa (t, In, m) < Adv^® (t) + n ■ Adv^J 1 ~ cpa (t, l,m) . | 


Re-keyed encryption with the parallel and serial generators. Com- 
bining Theorem 3 with Theorems 1 and 2 gives us information about the security 
of re-keyed encryption under the parallel and serial generators. 
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Corollary 1. (Security of re-keyed encryption with the parallel gener- 
ator) Let S£ be a base encryption scheme, let F: (0, l} fe x (0, l} fc — > (0, l} fc be 
a PRF, let VG[F] be the F-based parallel generator defined in Construction 1, 
and let l > 0 be a subkey lifetime. Let S£ = S£[S£ ,VG[F\,l\ be the associated 
re-keyed encryption scheme. Then 

Adv^‘ cpa (t, in, m) < Adv^ rf (t, n) + n • Adv^g‘ cpa (t, l, to) . I 

Corollary 2. (Security of re-keyed encryption with the serial gener- 
ator) Let S£ be a base encryption scheme, let F: {0,1}* x {0, l} fc — > {0, l} fc 
be a PRF, let SQ[F] be the F-based serial generator defined in Construction 2, 
and let l > 0 be a subkey lifetime. Let S£ = S£ [S£,SG[F],l] be the associated 
re-keyed encryption scheme. Then 

Adv g-cpa ^ jti) < n • Adv prf (f + log n, 2) + n ■ Adv£f cpa (t, l,m) . | 

Example. For the base encryption scheme, let us use CBC with some block 
cipher B: (0, l} fc x {0, l} b — > {0, l} 6 having block length b. We wish to compare 
the security of encrypting q messages directly with one key; doing this with re- 
keying using the parallel generator; and doing this with re- keying using the serial 
generator. The re-keying is based on a PRF F: (0, l} fe x {0, l} fc — > (0, l} fc having 
block length k. Note that B and F can but need not be the same. In particular 
B must be a cipher (i.e. invertible) in order to enable CBC decryption, but we 
have seen that better security results for the re-keying schemes by choosing F 
to be non-invertible and might want to choose F accordingly. 

Let CBC denote the base encryption scheme. Let VCBC denote the re-keyed 
encryption scheme using CBC as the base scheme, the F-based parallel genera- 
tor, and subkey lifetime parameter l. Let SCBC denote the re- keyed encryption 
scheme using CBC as the base scheme, the F-based serial generator, and subkey 
lifetime parameter l. Since B is a cipher we take its advantage to be 

Adv prf (t,q) « + — . (3) 

We know from [3] that 

. , inH-rna, . cfimif „ A , nrf / . 3 q 2 TO 2 2 1 

Ad V CBC (f» 9, m) « + 2 • Adv p (t, qm/b ) « ^ . 

For simplicity we let the message length be m = b. Thus if q = In messages of 
length m are CBC encrypted we have 

Advcsc Cpa (L In, b) « ^ 

Adv^ cpa (t, In, b) m. Adv prf (t, n) + ^ ^ 

Adv 5 CBc Pa (L In, b) w n • Adv prf (t + logn, 2) + ^ ^ . 

The first corresponds to encryption with a single key, the second to re-keying 
with the parallel generator, and the third to re-keying with the serial generator. 
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Suppose we let F be a block cipher. (This is the easiest choice in practice.) We 
can simply let F = B. In that case F obeys Equation (1) and we get 


Adv CBC Cpa (^ te > TO ) 
Adv pcBC Iri^ m) 
Adv 5CBC Pa (^ te > TO ) 


3 l 2 n 2 + 2 1 



2 k 

3 1 2 

n + n 2 + 2nt 


2 k 

3 1 2 

n + 2 nt + t 


2 k 


The two generators deliver about the same advantage. To gauge the gains pro- 
vided by the re-keying schemes over the single-key scheme, let us define the 
encryption threshold of a scheme to be the smallest number of messages Q = In 
that can be encrypted before the advantage hits one. (Roughly speaking, this 
is the number of messages we can safely encrypt.) We want it to be as high as 
possible. Let’s take t « nl. (It cannot be less but could be more so this is an 
optimistic choice). In the single- key scheme Q ~ 2 fe / 2 . In the re- keyed schemes 
let us set l = 2 k l :i . (This is the optimal choice.) In that case Q « 2 2fe / 3 . This is 
a significant increase in the encryption threshold, showing that re-keying brings 
important security benefits. 

We could try to set F to be a non-invertible PRF for which Equation (2) is 
true. (In particular F would not be B.) Going through the calculations shows 
that again the two generators will offer the same advantage, but this would be 
an improvement over the single-key scheme only if k > b. (Setting k = 2b yields 
an encryption threshold of 2 b for the re-keyed schemes as compared to 2 6 / 2 for 
the single- key scheme.) 

We saw in Section 2 that the parallel generator offered greater security than 
the serial one. We note that this did not materialize in the application to re- 
keyed CBC encryption: here, the advantage functions arising from re-keying 
under the two generators are the same. This is because the term corresponding 
to the security of the base scheme in Corollaries 1 and 2 dominates when the 
base scheme is CBC. 

In summary we wish to stress two things: that security increases are possible, 
and that our results provide general tools to estimate security in a variety of re- 
keyed schemes and to choose parameters to minimize the advantage functions of 
the re-keyed schemes. 
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A Proof of Theorem 1 

Let A be an adversary attacking the pseudorandomness of VQ[F\ and t be the 
maximum of the running times of Exp^T™’ 1 ^ (A) and Expip^pj 1 )) 1 (A). We want 
to upper bound Adv^!^ n (A). We do so by constructing a distinguisher D for 
F and relating its advantage to that of A. D has access to an oracle O. It simply 
computes s = 0(1) || ... || O(ri) and outputs the same guess as A on input s. We 
can see that when the oracle O is drawn at random from the family F, the proba- 
bility that D returns 1 equals the probability that the experiment Expip^^^ ( A) 
returns 1. Likewise, the probability that the experiment ExpP r |^ n ^ ( A) returns 
1 equals that of D returning 1 when O is drawn at random from the family of 
random functions R k . As D runs in time at most t and makes exactly n queries 
to its oracle, we get that 

Ad vJp| [F] „(A) < AdvP rf (t,n). 

Since A was an arbitrary adversary and the maximum of the running times of 
experiments ExpJpJ^j^A) and Exp^^^A) is t, we obtain the conclusion 
of the theorem. 

B Proof of Theorem 2 

Let A be an adversary attacking the pseudorandomness of SQ[F] and t be the 
maximum of the running times of ExpP r ®^® a ^(A) and Exp^ r ®^ al ^ d (A). We want 
to upper bound Adv^j^ n (A). We begin by defining the following sequence of 
hybrid experiments, where j varies between 0 and n. 

Experiment Hybrid(A,j) 

St (0, l} fe ; s^e 

if i < j then Outi A {0, l} k 
else (Outi, St) <— Af(St) 
s * — s || Outi 
g <- A(s) 

return g 

Let Pj be the probability that experiment Hybrid (.4, j) returns 1, for j = 
0, Note that the experiments Exp^j^^A) and Exp^ r ^ ai ) ( d (A) are 

identical to Hybrid(A, 0) and Hybrid! A, n), respectively. (Not syntactically, 
but semantically.) This means that Po = Pr [ Exp^^^ ( A) = 1] and P n = 
Pr[Exp^ r ^ ai ) i d (A) = 1]. Putting it all together, we have 

AdV 5sW>) = Pr [ Ex P5|[nn^) = 1] - Pr [ E XP ritnn (A) = 1] 

= P0~Pn. 


(4) 
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We now claim that 

Adv !s![F] „ ( A ) = Po-Pn< n ■ Advf (t + log «, 2) . (5) 

Since A was an arbitrary adversary, we obtain the conclusion of the theorem. It 
remains to justify Equation (5). We will do this using the advantage function of 
F. Consider the following distinguisher for F. 

Algorithm D° 

for i = 1, . . . , n do 

if i < j then Outi A {0, l} fe 
if i = j then Outi <— 0(0) ; St <— 0(1) 
if i > j then (Outi, St) <— J\f(St) 
s * — s || Outi 
9 4(s) 

return g 

Suppose the oracle given to D was drawn at random from the family F. Then, 
the probability that it returns 1 equals the probability that the expirement 
Hybridf T, j— 1) returns 1, where j is the value chosen at random by D in its first 
step. Similarly, if the given oracle is drawn at random from the family of random 
functions R k , then the probability that D returns 1 equals the probability that 
the experiment Hybrid(A, j) returns 1, where j is the value chosen at random 
by D in its first step. Hence, 

Pr[D°| 0 ^r] = 

Pr : [®° I °*-#] = tT.U P > ■ 

Subtract the second sum from the first and exploit the collapse to get 
- ££?=i Pj = Adv^i?) . 

Note that D runs in time at most t + 0(log n) and makes exactly 2 queries to its 
oracle, whence we get Equation (5). This concludes the proof of the theorem. 
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Abstract. We give the first proof of security for the full Unix password 
hashing algorithm (rather than of a simplified variant). Our results show 
that it is very good at extracting almost all of the available strength 
from the underlying cryptographic primitive and provide good reason 
for confidence in the Unix construction. 


1 Introduction 

This paper examines the security of the Unix password hashing algorithm, the 
core of the Unix password authentication protocol [14]. Although the algorithm 
has been conjectured cryptographically secure, after two decades and deployment 
in millions of systems worldwide it still has not been proven to resist attack. In 
this paper, we provide the first practical proof of security (under some reasonable 
cryptographic assumptions) for the Unix algorithm. 

The hashing algorithm is a fairly simple application of DES, perhaps the best- 
known block cipher available to the public. Since DES has seen many man-years 
of analysis, in an ideal world we might hope for a proof (via some reduction) 
that the Unix password hash is secure if DES is. However, so far no such proof 
has appeared in the literature. 

In earlier work, Luby and Rackoff presented strong theoretical evidence that 
the basic approach found in the Unix algorithm is likely to be sound, by pre- 
senting proofs of security for a simplified variant of the Unix hash [12,13]. How- 
ever, their proofs have three serious limitations: the abstract model they analyze 
omits some important features of the real algorithm (they analyze the variant 
k i — ► Ek( 0) rather than the full iterated construction k i— > E'£ 5 (()')'): their proofs of 
security are asymptotic, and so do not directly apply to real (necessarily finite) 
instantiations of the construction; and they assume a uniform distribution on 
passwords. Therefore, we feel that, from a practical point of view, the security 
of the real Unix password hash remains an open question. 

In the first half of this paper, we take a further step towards justifying the 
design of the Unix password hash by removing the first two limitations mentioned 
above (we also make some progress towards removing the final limitation in the 
second half of this paper, as will be discussed below). Our primary contribution 
is that we show how to analyze the full Unix construction, removing the need 
to abstract away features of the algorithm. This removes the gap between what 
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has been analyzed and what is currently in use. In particular, we extend Luby 
and Rackoff’s proof techniques to handle the iterated construction k i-> {Ek o 
Ek o • • • o Ek)(0) found in the real Unix hash. 

We also provide explicit, quantitative security measures for the Unix hash 
(instead of asymptotic estimates), and as a result, our proofs can be directly 
applied to the real (finite) Unix algorithm. We make no claims about the novelty 
of this calculation — it is a straightforward technical exercise — but the concrete 
bounds are important if we are to assess the practical security of the Unix hash 
construction in real life. 

In practice the Unix password hash suffers from the same limitation as DES: 
both algorithms appear to be very well designed, but their short key size limits 
the attainable security level. Nonetheless, we show here that the construction 
used in the Unix password hash is cryptographically sound and does a very 
good job of extracting almost all of the available strength from the underlying 
cryptographic primitive. 

We also show a result that may be of independent interest: every pseudo- 
random generator forms a one-way function, and this construction is simultane- 
ously very efficient and strongly security-preserving. See Theorem 1 for a sur- 
prisingly tight reduction (our concrete security parameters are better than those 
obtained from the apparently-standard analysis of this construction [6, Propo- 
sition 3.3.6]). This theorem was effectively the main tool in the Luby-Rackoff 
proof, but it was never separated out explicitly. 

The main practical shortcoming of the proof techniques discussed above is 
that, for best results, we must assume that the passwords are uniformly dis- 
tributed. To remedy this shortcoming, we also present some initial progress to- 
wards handling the non-uniform case as well. 

In general, the security issues associated with non-uniformly distributed key- 
ing material appear to be under-represented in the literature. A second con- 
tribution of this paper is that we make some initial progress on this problem, 
presenting a formal model that we hope may serve as a foundation for future ex- 
ploration in this area. Using this model, we are able to show relatively good lower 
bounds on the security of the Unix algorithm when used with non-uniformly dis- 
tributed passwords. These techniques provide practically useful results for the 
special case of the Unix hash function, but in general the results that can be 
obtained via these methods are not as strong as we would like, and so we leave 
this as an open question for further research. See Section 7. 

This paper is structured as follows. We recall the definition of the Unix 
password hash in Section 2 and then summarize the results of our analysis in 
Section 3. The remainder of the paper is dedicated to the theoretical analysis: 
Section 4 outlines the main ideas from a high level, Section 5 gives some im- 
portant definitions, and Section 6 dives into the details of the proofs. Finally, 
Section 7 gives a formal model for security with non-uniformly distributed pass- 
words and presents some initial results in this area. 
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2 The Unix Algorithm 

We briefly recount the definition of the Unix password hashing function. The 
function — let us call it H — is built out of a 25-fold iterated version of DES, in 
the following way. Let DESfe(x) denote the DES encryption of plaintext x under 
key k and DES£(a;) = DESfc(DES^ _1 (x)) denote the n-fold iteration of DES*,. 
Then the hash H ( k ) of the 8-character password k may be defined as 

//(*•) = DESf (0). 

When a new user account is created, the hash H{k) of the user’s initial 
password is stored with the user’s id in the (world-readable) system password 
file /et c/pas swd. When the user attempts to log on with password k', the system 
computes H(k') and compares the result to the value stored in the password file, 
allowing the user to log on only if H(k') = H(k). 

Our description of the Unix password scheme omits one important feature 
of the construction: the salt. In fact, when the user register his password k for 
the first time, a random 12-bit salt s is generated, and the system computes a 
salted hash H s ( k ) from k and s. We do not analyze the effect of the salt in this 
paper. 

3 Results 

The main consequence of our analysis is the following informal result: 

If DES is a ( t , 25, e)-secure block cipher, then the Unix password hashing 
function is a (t',p)-secure password hashing function, where t’ « t and 
p w (1 + l/255)e. 

Some interpretation of this analytical result is clearly in order. Formal defi- 
nitions of (f, q, e)-security for block ciphers and (f',p)-security for hash functions 
will be provided later in Section 5, but for now we just sketch the intuition. 
Roughly speaking, the theorem says that if DES is secure against all attacks 
using at most 25 chosen plaintexts, and if the password is chosen uniformly at 
random, then the Unix construction is secure against password guessing attacks. 

Note that our security proofs require only very mild assumptions on the 
properties of DES. To break the Unix algorithm, the adversary must have some 
way to break DES with only 25 chosen plaintexts, which is likely to be a very 
difficult task. Furthermore, even the existence of such an attack on DES is no 
guarantee of success at breaking the Unix hash function, since it seems to be 
very difficult to control the internal values of the hash computation. Therefore, 
we expect that the Unix hash function is likely to be even stronger than our 
lower bounds would suggest. 

An example. Let us try to estimate the resources needed to reverse the Unix 
hash function. We start by estimating the concrete security level afforded by 
DES. The best attack reported in the literature for breaking DES with 25 chosen 
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plaintexts is exhaustive keysearch; differential and linear cryptanalysis do not 
help with such a small number of chosen texts. If we mount a partial exhaustive 
keysearch, searching over t keys, we obtain an attack with time complexity t and 
success probability 1 e < t/ 2 55 . Therefore, if the cryptanalytic results reported 
in the literature are representative and this is indeed the best available attack, 
we may conclude that DES forms a (t, 25, t/2 55 j-secure block cipher. Theorem 1 
then says that the Unix scheme is (t. pj-secure for p fts (1 + l/255)f/2 55 , which 
is only larger than the corresponding success probability for attacking DES by 
the small multiplicative factor of 1 + 1/255. To summarize: 

For an adversary with a given set of resources, the chances of breaking 
the Unix password hash are at most only slightly higher — less than 1% 
higher — than the chances of breaking DES with the same resources. 

This illustrates that the reduction is nearly tight: our analysis requires only very 
weak assumptions of security for DES, and as a result, our results will still be 
relevant even if DES is found to have some small weakness. In other words, the 
Unix construction is robust: any small imperfections that might exist in DES 
are guaranteed not to be magnified by the Unix construction into a fatal flaw 
for a hashing function. 

Limitations. There are several important technical limitations to our work. 
First, we do not analyze the salt, so we do not consider attacks on many pass- 
words in parallel. Second, although we are for the first time able to show that 
the iteration in the Unix hash does not harm security, we were not able to prove 
that iteration actually improves security, as one would intuitively expect. Third, 
our results for the non-uniform distribution are not as strong as we would like, 
as is discussed in more detail elsewhere in this paper. 

In practice probably the most significant vulnerabilities in the Unix password 
hash function are that real passwords often do not contain enough entropy to 
resist dictionary attacks [3,5,9,11,15], that the 56-bit keysize of DES is too short 
to resist exhaustive keysearch attacks [4], and that cleartext passwords are in- 
appropriate for use in a networked environment. However, our results show that 
the Unix password hashing construction attains about as much cryptographic 
strength as possible, given these unavoidable limits on its security. 

4 An Outline of the Analysis 

Our analysis of the Unix hash uses essentially only one new idea 2 : an observation 
about close ties between the Unix hash and the CBC-MAC construction. In the 
remainder of this section, we give a high-level sketch of these two fundamental 
observations. 

1 We assume the adversary exploits the DES complementation property, and thus 
e = t/ 2 55 , not t/ 2 56 as one might naively expect. 

2 We also give what we believe to be a simpler presentation of Luby and Rackoff’s 
proof that k h-> E k ( 0) is a good one-way function if E is a good block cipher, but 
the result itself is not new. 



564 David Wagner and Ian Goldberg 


Relevance of the CBC-MAC. First, we show that the Unix password hash- 
ing algorithm is just a special case of the more general and better-studied DES- 
CBC-MAC construction [1], Consequently, we can take advantage of well-known 
results on the security of DES-CBC-MAC. 

Let /- CB C-M AC ( x) denote the CBC-MAC of the message x under the func- 
tion /. Recall that the /-CBC-MAC of a n-block message x under function / is 
defined as 


/- CBC-MAC(x) = f(x n © • • • f(x 2 0 f(x i)) • • • )• 

Then it is not hard to see that we get a close relation between n-fold iterated 
encryption and the CBC-MAC on a n-block message: 

/"(*) = /- CBC-MAC«x,0,0,... ,0}). 

This observation may be of independent interest, because it gives a simple and 
powerful way to analyze iterated encryption. 

Using this trick, we observe that the Unix password hashing algorithm can 
be related to the DES-CBC-MAC by 

Unix-hash(£;) = DES-CBC-MAC* «0, . . . , 0}). 

This is the basis for our treatment of iteration in the Unix password hash. 

5 Definitions 

Definitions of concrete security are parametrized by a measure of the resources 
needed to break the cryptographic primitive. In general, we say that an attack 
R-breaks a crypto primitive if the algorithm succeeds in breaking the primitive 
with resources specified by R, and we say that a crypto primitive is R-secure if 
there is no algorithm 3 to R-break it. In the definitions to follow, we elaborate 
on the measure of an adversary’s resources. 

First, we formally define the concept of a pseudorandom function (PRF). Let 
F : 1C x X y be a, keyed function. We say that the oracle algorithm A is an 
adversary which ( t , q. e)-breaks the alleged-PRF F if A runs in time t, makes 
at most q queries to its oracle, and has advantage Adv A = e. The adversary’s 
advantage Adv A is defined to be 

Adv A = | Pr[A Ffc = 1] - Pr[A fl = 1] |, 

where the probability is taken over the choice of k and R, and where the random 
variable k is drawn from the uniform distribution over 1C and R : X — » y is a 
random function. We say that F is a (f, q, e)-secure PRF if there is no adversary 
which (f , q. e)-breaks F. 

3 We may assume without loss of generality that all adversarial algorithms behave 
deterministically, since any probabilistic adversary can be de-randomized using stan- 
dard techniques. 
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A (t, q, e)-secure “super” pseudorandom permutation (PRP) E : 1C xy — > y 
is a family of permutations with the property that Ek is indistinguishable from a 
random permutation 7r : y —s ► y chosen uniformly at random from the set of all 
permutations on y, when k is drawn uniformly at random from 1C. The advantage 
of an adversary A is defined as AdvA = |Pr[A B ’*d^? ? = 1] — Pr[A 7r ’ 7r 1 = 1]|. 
Note that we typically omit the “super” prefix for brevity. 

A pseudorandom generator (PRG) is a function g : K, y which stretches 
a short seed (from 1C) into a long, random-looking output. The advantage of 
an adversary for g is defined to be Adv A = |Pr[A(g(fc)) = 1] — Pr[A(uv) = ij|, 
where the random variables k and Uy are chosenly randomly according to the 
uniform distributions on 1C and y (resp.). In the case of pseudorandom gener- 
ators, normally one insists that the output be longer than the seed, i.e., that 

P>l > l*C|. 

Also, it is useful to have the concept of a one-way function (OWF). Let 
h : 1C — > y be an unkeyed function. An adversary B attacking h is an algorithm 
with input y & y which outputs a symbol in 1C U {_L}, and which is correct, B is 
correct when y &y, B(y) ± T implies h(B(y)) = y. We say that an adversary B 
(f , /jj-breaks the alleged-OWF h if B runs in time t and succeeds with probability 
p = Y J r[B(h(k)) / _L], where the probability is taken over the choice of k e 1C, 
and the random variable k is drawn from the uniform distribution. Finally, we 
say that g is a (f,p)-secure OWF if there is no adversary which (t, /jj-breaks it. 

Note that the notion of a one-way function exactly captures the security 
properties we need from a password hashing function. In particular, if g is a 
(f,p)-secure OWF, then the success probability of any adversary running in 
time t is at most p. 

6 Analysis 

The main result is a proof that any pseudorandom generator is a good one-way 
function. This is an version of Luby and Rackoff’s result [12,13], adapted to the 
concrete security model. 

Theorem 1. Let g : 1C — > y be a ( t,e)-secure pseudorandom generator, with 
|(V| > \1C\. Then g is a (t! ,p)- secure one-way function, where p= e/(\ — \K\/\y\) 
and t' w t. 


Remark 1. To be more precise, we show that g is (f',p)-secure, where t' = t — c 
and c is a universal constant which depends only on the machine model. However, 
in practice c is extremely small compared to t, so for simplicity of exposition in 
this paper we omit these tiny constants and summarize the situation by writing 
t' as t. 


Proof. We prove the contrapositive. Let h = g be our alleged one-way function. 
Suppose that there is an adversary B which (t,p)-breaks h (viewed as a one-way 
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function). We construct an adversary A against g (viewed as a PRG), defined 
by 


^) = {J 


if B(y) ± A 
otherwise. 


Our claim is that A (t, e)-breaks g (the pseudorandom generator), i.e., that 
Adv A > (1 — |/C|/|y|) -p. A bit of notation: we let k stand for a random variable 
uniformly distributed over /C, and Uy for a r.v. that is uniform over y. All 
probabilities are calculated with respect to k. 

Let V = {y £ y : B(y) 'M A} be the set of outputs of h where B succeeds. 
Also, let W = {k £ 1C : h(k) £ V j be the set of inputs to h which are not secure 
against B. We see that p = Pr[h(fc) £ V\ = Pr[fc £ W]. 

Next, we observe that \V\ < W \ . The argument goes like this. We may 
view B as a deterministic function (by standard de-randomization results). We 
examine B' , the restriction of B to the domain V. This restriction is well-defined, 
since when v £ V, B(v) is a well-defined element of K . Moreover, using the 
correctness of B, we have g(B(v)) = v € V for all v £ V, so that B(v) £ W 
for all v £ V. Thus we may consider B' as a function with signature V W. 
Also, if v,v' £ V and B{v) = B(v'), we find that v = g(B(v)) = g(B(v')) = v'; 
therefore, B' is one-to-one. In summary, we have exhibited a one-to-one function 
from V to IT, which demonstrates that \V\ < \W\. 

Finally, we are ready to calculate the advantage of the adversary A. First, 


Pr [A(g(k)) = 1] = Pr [B(h(k)) # X] = Pr [h(k) £V]=p. 


Also \W\ = |/C| • Pr[fc £W\ = \IC\-p and |T| < \W\, so 

Pr[A(u F ) = 1] = Pr [u Y G T] = |T|/|T| < \W\/\y\ = \K\/\y\ ■ p. 
Plugging into the definition of Adv A gives 


Adv A>\p- \m\y\ ■ p\ = (1 - m/\y\) .p=e. 

To recap, under the assumption that there is an adversary B which (Lp)-breaks 
h, we obtain an adversary A which shows that g is not (t. e)-secure, and this is 
the desired result. □ 


Lemma 1. A ( t , q, e)-secure PRP E : 1C x y — > y is a (t,q,e + q 2 /2\y\)- secure 

PRF. 

Proof. This lemma is a well-known consequence of the birthday paradox. For a 
full proof, see, e.g., [1]. □ 

Lemma 2. If F : ICxy — > y is a (t,q, e)-secure PRF, then F n is a (■ t' , q/n, e')- 
seeure PRF, where t' = t — glog 2 |T| and e’ = e + 1.5g 2 /|T|. 

Proof Recall that Fjf(x) = F k (- ■ ■ ( F k (x )) • • • ) is a F fe -CBC-MAC on the mes- 
sage (x, 0,0, ... ,0), as noted in Section 4. Now invoke [1, Lemma 4.1] to show 
that the Ffc-CBC-MAC is a secure PRF. □ 
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Lemma 3. If F is a (t,l,e)-secure PRF, then g(k) = Fk( 0) is a ( t,e)-secure 
PRG. 

Proof. Immediate from the definitions. □ 

Theorem 2. If DES is a (t, 25, e)- secure pseudorandom permutation, then the 
Unix construction is a (t' ,p)-secure password hashing function, where p = (1 + 
l/255)e + (1 + 1/255) • 25 2 /2 63 m (1 + l/255)e and t' « t. 

Proof. Applying Lemmas 1 and 2, we see that x i— > DES/ 5 (x) is a (t, 1, e)-secure 
PRF, where t = t — 25 x 64 and e = e + 2q 2 /\y\. Lemma 3 then shows that 
the Unix algorithm is a (t, e)-secure PRG. Finally, Theorem 1 assures us that 
the Unix construction is a (f',p)-secure one-way function, where t' = t — c = 
t — 25 x 64 — c«f and p = e/(l — 2 -8 ) = (1 + l/255)e. As discussed above, this 
is exactly the notion needed to show that the Unix password hashing algorithm 
is secure when used with uniformly-distributed passwords. □ 

7 Non-uniformly Distributed Secrets 

So far our proofs of security have assumed that all passwords are uniformly dis- 
tributed. In practice, though, such an assumption is often far from the mark 
[3,5,9,11,15]. This section tackles the issue of security for non-uniform distribu- 
tions. 

In this section, we introduce a new security model, passphrase-based cryptog- 
raphy, where keying material and other cryptographic secrets are derived from 
human-entered passphrases and thus are likely to have a highly non-uniform 
distribution. This is a significant departure from the standard model, where the 
very definitions of security assume a uniform distribution on the keys. A second 
important difference is that passphrases are typically relatively short, so the se- 
cret entropy in them is a scarce resource which we must not waste. We show 
that the standard approaches to smoothing non-uniform distributions are un- 
suitable for practical use because they waste too much entropy. Therefore, new 
techniques are needed. 

Let us start by developing formal definitions of security for passphrase-based 
cryptography. We need a small amount of background. Let D be a distribution on 
1C which assigns the probability D{k) to each k G 1C, and let D(S) = Ylkes D(k) 
for all S C K.. 

We define the notion of a one-way function secure for D as in Section 5, ex- 
cept that the success probability is now calculated when inputs are distributed 
according to D rather than the uniform distribution. (We assume that the dis- 
tribution is fixed in advance, so that the attack algorithm may depend on D.) 
Let / : 1C — y y be an unkeyed function and let B : y — » 1C U {1} be an ad- 
versary against / that is correct (i.e., B(y) ^ _L implies f(B(y)) = y). We say 
that the algorithm B (f,p)-breaks / (for D) if B runs in time t and succeeds 
with probability p = Pr [B{f(k)) U], where k is chosen from 1C according to 
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the distribution D and the probability is taken with respect to the choice of 
k. Finally, the one-way function / is (t. p)-secure for D if there is no adversary 
which (t, //-breaks / for D. 

In this paper, we define 

Xr>(t) = max{£)(5) : S C AT, |5| < t}. 

This definition is motivated by the following upper bound on the security of 
hashing inputs with distribution D: 

Theorem 3. For all one-way hash functions f , all distributions D, and all time 
bounds t, there is a generic attack, called the dictionary attack, which (t, Xr>(t))- 
breaks f. 

Proof. The dictionary attack proceeds by trying the t elements of D with the t 
largest probabilities. (Each guess can be easily checked with a single computation 
of /.) If we write the D-probabilities in decreasing order, d\ > da > ei .3 > ■ ■ ■ , we 
can see that the success probability of the dictionary attack is d\ + d% + • • • + dp, 
furthermore, this quantity is precisely Xr>(i)- 1=1 

Therefore, \o describes the effectiveness of the optimal dictionary-search 
attack against D: no matter what we do, every one-way hash function with 
inputs chosen according to D can be broken with probability Xd (t) and time t. 

There is no way to avoid the dictionary attack. This motivates our definition 
of security for a one-way hash function that operates on inputs with a non- 
uniform distribution: 

Definition 1. We say that the one-way function f is ideally-secure for distribu- 
tion D if f is ( t , Xo(t)) -secure (for all t) when its inputs are distributed according 
to D. 

Intuitively speaking, a one-way function is ideally-secure if the dictionary attack 
is the best attack. 

We are able to show that any one-way function that is sufficiently strong for 
uniformly distributed inputs will also be relatively good for other distributions. 

Theorem 4. Let f be a one-way function that is ( t,p) -secure for uniformly- 
distributed inputs. Then, for every distribution D on K., f is a (t, x.d(p|/C|))- 
secure one-way hash function for D. 

Proof. Let A be an adversary which (f,//)-breaks / for D, where p' > xn(p\F\). 
We will show that A also (f,p)-breaks / (for uniformly distributed inputs), and 
then taking the contrapositive will yield the desired result. 

Let S = {k e /C : A(f(k)) ^ _L} be the set of /-inputs which are not safe 
against A. Note that p' = D(S), and moreover that xd(|S i |) > D(S) (by the 
definition of Xd), so we have 


Xd(\S\)>D(S)=p'> X d(p\JC\). 
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Since Xd(1) is a monotonically increasing function of t. we may conclude that 

\S\>p\IC\. 

Now we may prove that A indeed works well, not just for the distribution D, 
but also for the uniform distribution. Note that 

Pr [A(f(k)) ?A]= Pr [k gS\= \S\/\1C\ > p 

when k is drawn from the uniform distribution on 1C. Therefore, A is an adversary 
that (t. pj-breaks / (for the uniform distribution), as claimed, and the theorem 
follows. □ 

Corollary 1. If the one-way function f is ideally- secure for the uniform distri- 
bution, then it is also ideally-secure for all other distributions as well. 

Proof. For the uniform distribution U on /C, we have Xu(t) = t/\lC\, so by 
assumption / is (t, t/|/C|)-secure for all t. Now Theorem 4 assures us that / is 
(t, X£>(t))-secure for all distributions D, since X£>((t/|/C|) • |/C|) = Xr>(t). □ 

Applications to Unix password hashing. We can show that the Unix hash 
is good at hashing even non-uniformly distributed passwords, under assumptions 
on DES that appear to be reasonable (albeit stronger than one might like). 

In Section 3, we argued that DES appears to be (t, 25, t/2 55 )-secure, if the 
cryptanalysis results reported in the literature do indeed represent the best at- 
tacks on DES (as many researchers believe). This assumption implies that the 
Unix hash H is a (t',t/ 2 56 )-secure one-way function when its inputs are uni- 
formly distributed, where t’ = (1 — 2 _s )(t/2 — 25 2 /2 8 ) « (1 + 2 -8 )t/2. Thus, 
Theorem 4 allows us to conclude that the Unix hash is (t',XD(t))- secure — i.e., 
nearly (t/2, X£>(t))-secure — for every distribution D. 

This lower bound only differs from Theorem 3’s upper bound by a factor of 
about two 4 * * . Roughly speaking, this means that the Unix hash appears to be 
nearly ideally-secure for all distributions D: no shortcut attack can do much 
better than the dictionary attack. 

Whether this result is useful in practice will depend on several factors. One 
disadvantage is that the approach requires relatively strong assumptions about 
DES — that there are no shortcut attacks on DES that reduce the workfactor 
of exhaustive keysearch by more than a small factor when the key is uniformly 
distributed — and as a result, the result is not as robust as we would like. For 
example, if small weaknesses are present in DES, our proof techniques cannot 
rule out the possibility that these weaknesses might be greatly magnified when 
one uses DES with patterned passwords, even though such a worst-case scenario 
is considered unlikely by practitioners. 

However, it is interesting to point out that we obtain a proof of security 
for the Unix hash of patterned passwords starting only with the assumption 

4 If we consider that the Unix hash internally iterates DES 25 times and thus costs 25 

times as much to compute as does a single DES trial encryption, the gap between 

the upper and lower bounds becomes a factor of about 50, which is still quite small. 
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that DES is secure for uniformly-distributed keys. In particular, we make no 
assumptions whatsoever about the behavior of DES when keyed from a non- 
uniform distribution. Consequently, we can take advantage of the decades of 
analysis on DES (which has all been premised on the assumption of uniformly- 
distributed keys) to gain confidence in the security of the Unix algorithm. 
Applications to other crypto primitives. It is also worth noting that 
Theorem 4 can also be generalized to many other keyed cryptographic primitives, 
such as block ciphers, stream ciphers, and PRF’s, using the same style of proof. 
Tightness. One can show that our lower bound (given in Theorem 4) on the 
security of / for non-uniform distributions is essentially tight. In other words, 
it is unlikely that one can do much better without either making additional 
assumptions on / or finding a better construction. 

The following simple example is due to David Zuckerman [16]. Let g : 1C\ — > 
y% be an ideally-secure one-way function with keyspace K\ and output space 
3\. We construct / : K, — > y as f((x,y}) = ( g(x),y ), where 1C = ICi x 1C 2 
and y = 3\ x K- 2 - Note that / is (t, f/|/Ci|)-secure (for all t) for the uniform 
distribution on 1C. 

Next consider the uniform distribution D on S x 1C 2 for some S C K. 1 , i.e., 
D((x,y)) = 1/(15] • |/C 2 |) for all (x,y) € S x JC 2 and D((x,y)) = 0 for x $ S. 
Theorem 4 implies / is (t. p)-secure for D, where 

p=to (ra l ' c| ) =XD<t| ' C2l)= M J 

At the same time, one may clearly (t, f/|S|)-break / using a dictionary attack 
when its inputs are distributed according to D (see Theorem 3). This shows that 
Theorem 4 is tight. 

The power of stronger assumptions. One alternative approach is to start 
from the assumption that DES is secure (up to the possibility of dictionary at- 
tacks) no matter what distribution the key is drawn from. Then we may attempt 
to prove that the Unix hash is secure for passwords with distribution D if DES 
is secure for keys with distribution D. 

The following theorem, which forms a nice example of this approach, is due 
to Bellare (and was stated as a homework problem in [7]): 

Theorem 5. If g : 1C —> y is a ( t,e)-secure pseudorandom generator for seeds 
distributed according to D, then g is a ( t,p)-secure one-way function for D, 
where p = e + |/C|/|3^| . 

Remark 2. Of course, we may take D to be the uniform distribution in the above; 
however, this gives strictly weaker bounds than Theorem l’s dedicated analysis. 

Proof. Use the same notation as in the proof of Theorem 1, and define the 
adversary A in the same way. Note that Pr[A(uv) = 1] < \{g(k) : k £ A3}|/|3^| < 
|/C|/|3Z|, and Pr [A(g(k)) = 1] = p as before, so we get 

Adv A = \Pr[A(g(k)) = 1] - Pr[A(u F ) = 1]| > | p- \K\/\y\\ = * 
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In other words, if there is an adversary B to (t, p)-break g as a one-way function, 
then there is another adversary A to (t, e)-break g as a pseudorandom generator, 
and the theorem follows. □ 

While this result may be useful in some contexts, it doesn’t give terribly useful 
lower bounds for the security of the Unix hash. For the Unix algorithm, we have 
|/C|/|3^| = 2 -8 , so we won’t be able to rule out the possibility that there exists 
an algorithm that succeeds in breaking 1/256 of all passwords in constant time. 
Such a result is not very reassuring. 

One could attempt to repair the flaw by defining a new hash construction, 
e.g., New-hash(fc) = (DESfc(0 . . .00),DESfc(0 . . .01)). Such an approach would 
work — if one is willing to deploy an updated implementation of the password 
hashing algorithm on millions of machines around the world! — but it would still 
require strong assumptions about the security of DES when used with non- 
uniformly distributed keys. Since DES has not received as much scrutiny in this 
setting (where the key is non-uniformly distributed), it becomes harder to gain 
much confidence that the necessary assumptions are indeed satisfied. 

Therefore, we conclude that this approach does not seem to yield security 
bounds that are as meaningful as those that can be achieved with Theorem 4. 

Comparison to entropy smoothing. Another alternative approach to deal- 
ing with patterned passwords is to smooth out the non-uniformity in the dis- 
tribution. A well-known result called the leftover hash lemma [8,10] shows that 
universal hash functions are good at entropy smoothing: if h is selected uniformly 
at random from a family of universal hash functions with m-bit outputs, and if k 
is drawn from a distribution with at least 3m bits of Renyi entropy, the random 
variable (h, h(k)) will be approximately uniformly distributed. 

The disadvantage with the leftover hash lemma is that it wastes at least 
two-thirds of the entropy of the password k: if we want to feed the smoothed 
bits into the Unix hash function (e.g., New-hash(fc) = (h, Unix-hash(/i(fc))}), we 
need a passphrase with at least 3 x 56 = 168 bits of entropy. This would require 
that passphrases consist of hundreds of characters, which is too difficult for most 
mere mortals to memorize. When we consider that, in the real world, one is lucky 
to find a password with more than 25-35 bits of entropy [3,5,9,11,15], it becomes 
clear that the leftover hash lemma is thoroughly unsuitable for practical use. 

The problem is that universal hash functions (and their generalizations, e.g., 
extractors) are designed for use in de-randomization, where the scarce resource is 
uniformly-distributed randomness, and where non-uniformly distributed bits are 
very cheap. In contrast, for passphrase-based cryptography, secret randomness 
(e.g., passwords, passphrases, etc.) should be considered a very precious resource 
that must be conserved at all costs, whereas public randomness (even uniformly- 
distributed public randomness) is nearly free. This suggests that new approaches 
may be required, and we leave this as an interesting challenge for further study. 
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Abstract. This paper introduces three new probabilistic encryption 
schemes using elliptic curves over rings. The cryptosystems are based 
on three specific trapdoor mechanisms allowing the recipient to recover 
discrete logarithms on different types of curves. The first scheme is an 
embodiment of Naccache and Stern’s cryptosystem and realizes a discrete 
log encryption as originally wanted in [23] by Vanstone and Zuccherato. 
Our second scheme provides an elliptic curve version of Okamoto and 
Uchiyama’s probabilistic encryption, thus answering a question left open 
in [10] by the same authors. Finally, we introduce a Paillier-like encryp- 
tion scheme based on the use of twists of anomalous curves. Our con- 
tributions provide probabilistic, homomorphic and semantically secure 
cryptosystems that concretize all previous research works on discrete log 
encryption in the elliptic curve setting. 


Keywords. Elliptic Curve Cryptosystems, Discrete Logarithm Encryption, 
Homomorphic Encryption, Naccache-Stern, Okamoto-Uchiyama, Paillier. 

1 Introduction 

At the present time, one of the most challenging open problems in cryptography 
is certainly the realization of a trapdoor in the discrete logarithm problem. A 
discrete-log (DL) encryption scheme over a group G intends to encrypt a plain- 
text m by simply raising some base element g £ G to the power m, while decryp- 
tion recovers m up to a public bound 1 . Motivations for this may be diverse. The 
main advantage in comparison to other public-key techniques such as RSA or El- 
Gamal comes from the additive homomorphic property of ciphertexts (the group 
product of encryptions of mi and m 2 yields an encryption of m\ + m 2 ). This 
property constitutes the necessary condition for many cryptographic protocols 
to exist in fields like electronic voting [4], key escrow [13] or group signatures, 
to quote a few. Clearly, discovering novel discrete-log encryption techniques has 
a crucial positive impact on these research domains. In contrast, direct applica- 
tions of these for simple encryption purposes may be of more moderate interest 

1 the decryption is only expected to retrieve m modulo the given bound, i.e. the 
trapdoor is partial. 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 573-584, 2000. 
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as malleability destroys chosen-ciphertext security anyway 2 . Without consider- 
ing all potential applications, this paper focuses on providing and analyzing new 
discrete log trapdoors and comparing their properties with the ones recently 
discovered in [8,9,11]. 

High degree residuosity was introduced by Benaloh [1] as an algebraic frame- 
work extending the properties of quadratic residuosity to prime degrees greater 
than two. Since then, successive works have considerably improved the efficiency 
of residuosity-based encryption. Naccache and Stern [8], utilizing a smooth de- 
gree modulo n = pq, increased Benaloh’s encryption rate up to w 1/5. More 
recently, Okamoto and Uchiyama [9] and Paillier [11] came up with modulus- 
independent encryption rates of 1/3 and 1/2 respectively, basing trapdoorness on 
a joint use of Fermat quotients and clever parameter choices. Interestingly, these 
three cryptosystems only stand in the multiplicative groups Z* where n = pq, 
p 2 q or p 2 q 2 and p, q are large prime numbers. 

There have been several attempts, in the meantime, to realize discrete-log 
encryption over elliptic curves instead of standard groups. This was motivated 
by the fact that no subexponential time algorithm for extracting discrete log- 
arithms is known so far, at least for most elliptic curves 3 . As a matter of fact, 
all such design proposals have revealed themselves unsuccessful. Vanstone and 
Zuccherato [23] proposed a deterministic DL encryption scheme that was shown 
to be insecure a few months later by McKee and Pinch [6] and Coppersmith [2] . 
Independently, Okamoto and Uchiyama failed in attempting to design DL en- 
cryption over composite anomalous curves [10] . 

This paper introduces cryptosystems successfully answering the quests of [23] 
and [10] respectively, with guaranteed semantic security relatively to well iden- 
tified computational problems. The first scheme is an embodiment of Naccache 
and Stern’s cryptosystem on curves defined over Z n (n = pq) which realizes 
a discrete-log encryption as originally imagined by Vanstone and Zuccherato. 
Probabilistic, the scheme is also provably semantically secure relatively to the 
so-called high-degree residuosity problem. Our second cryptosystem relates to 
the p-residuosity of a well-chosen curve over the ring Z p 2 q , that is, provides an 
elliptic curve instance of Okamoto and Uchiyama’s encryption scheme. Finally, 
we show how to extend the same design framework to Paillier encryption [11], 
while preserving all security and efficiency properties inherent to the original 
cryptosystem. All three schemes are reasonably efficient, simple to understand, 
additively homomorphic, probabilistic and provably secure against chosen plain- 
text attacks (IND-CPA) in the standard model. We believe our cryptosystems 
to be the only ones that verify these properties. 

Due to space limitations, we do not recall here the basics of high-degree 
residuosity (neither do we give the description of the encryption schemes we 


2 like for other cryptosystems however, security improvements are possible to reach 
resistance against active adversaries, see [12]. 

3 it is known that there exist subexponential algorithms for curves of trace zero over 
F p for p prime. The discrete-log problem happens to be trivially polynomial in the 
case of trace one, see [20] . 
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work with), referring the reader to the bibliography for further information when 
needed. 

2 Elliptic Curve Naccache- Stern Encryption 

The first encryption scheme that we describe here is a variant of Naccache and 
Stern’s encryption scheme [8] where the working group is an elliptic curve over 
the ring Z n . The construction of such a curve is similar in spirit to the work of 
Koyama, Maurer, Okamoto and Vanstone [5] that allowed to export factoring- 
based cryptosystems like RSA [15] and Rabin [14] on a particular family of curves 
over the ring Z n (KMOV). We now describe briefly their construction. 

In the sequel, p and q denote distinct large primes of product n. Recall that 
for any integer k, Ek(a,b) is defined as the set of points (x,y) £ Z* x Z& such 
that 

y 2 = x 3 + ax + b mod k , 

together with a special element Ok called the point at infinity. It is known that 
given a composite integer k, a curve Ek(a,b) defined over the ring Z fe has no 
reason to be a group. This problem, however, does not have real consequences in 
practice when k = n because exhibiting a litigious addition leads to factor n and 
this event remains of negligible probability. Furthermore, projections of E n (a, b) 
over F p and F g (namely, E p (a,b ) and E q (a,b)) being finite abelian groups, the 
Chinese remainder theorem easily conducts to the following statement: 

Lemma 1 (Koyama et al. [5]). Let E n (a, b) be an elliptic curve where n= pq 
is the product of two primes such that gcd(4a 3 + 27 b 2 , n) = 1. Let us define the 
order of E n (a,b) as 


\E n (a,b)\=lcm(\E p (a,b)\,\E q (a,b)\). 

Then, for any point P £ E n (a, b), 

\E n (a,b)\-P = O n 

where O n denotes the point at infinity of E n (a, b). 

Although not being a group in a strict sense, the structure of the curve E n (a , b) 
complies to Lagrange’s theorem and, from this standpoint, can be used as a 
group. Koyama et al. take advantage of this feature by focusing on curves of the 
following specific form: 

E n ( 0, b) : y 2 = x 3 + b mod n for b £ Z* , 


with p = q = 2 (mod 3). This is motivated by the fact that the projected curves 
E p (0,b) and E q {{), b) happen to be of trace of Frobenius equal to zero. More 
specifically, 
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Lemma 2. Let p be an odd prime satisfying p = 2 (mod 3). Then, for all b £ 
[l,p — 1], E p ( 0, b) is a cyclic group of order 

\E p (0,b)\ = p+l. 

Subsequently, the problem of recovering \E n {(), b) = \cm(p + 1, q+ 1) from n 
is equivalent to factoring n when p = q = 2 (mod 3). Note that another possible 
choice of parameters are curves E n (a, 0) for a £ Z* and p = q = 3 (mod 4). We 
refer the reader to [5] for further details. 


2.1 Our Setting 

Just as above, for some b £ Z*, we will be considering the curve £>,((], b) as a 
finite abelian group of order 

p = |£'„(0,6)| = lcm(p + l,q + l) . 

In our setting, the prime factors p and q are both chosen congruent to 2 modulo 
3 so that, by virtue of lemma 2, the two curves E p ( 0, b ) and E q ( 0, b ) are cyclic 
groups of respective orders p + 1 and q + 1. We also impose 


p + 1 = 6 • i 

i ■ p 1 where it = ]^[ and 

(1) 

q + 1 = 6-? 

) ■ q' where v = ]^[ p'f , 

(2) 


for some B-smooth integers u and v of (roughly) equal bitsize such that 
gcd(6 ,u,v,p',q') = 1 

and B = O(logn). Integers p' and q’ are taken prime. The whole construction 
is closely related to Naccache and Stern’s encryption scheme [8]. In our case, we 
focus on base points of E n ( 0, b ) of order a multiple of o = uv. If G is such a 
point, then one could envision to encrypt some plaintext m € Z ff by 

to i — >m-G + a-R where R £r E n (0,b) , (3) 

and decrypt by computing the residuosity class with respect to G. Because a was 
chosen to be smooth, computing discrete logarithms for a base of degree a can be 
efficiently done using the baby-step giant-step algorithm combined with Pohlig 
and Heilman’s method. Thus, one can compute residuosity classes on E n ( 0 , b) in 
polynomial time provided that p is known, i.e. knowing the factors of n. There 
still remains the problem of randomly choosing an element R £r E n ( 0, b) during 
encryption: the spontaneous creation of an arbitrary point seems to require either 
the computation of a quadratic root of R% + b with R x £ R Z n (equivalent to 
the knowledge of the factors), or the computation of fjRy — b with R y £ R Z n 
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(equivalent to RSA on Z* with e = 3). An elegant solution 4 consists in modifying 
the encryption function so that mSZ„is now encrypted as 

to i — > G = (to + or) • G with r £r Z n , 

and decryption necessitates to compute the discrete logarithm of (p/a) ■ C with 
respect to the base G' = (p/a) • G, which is done as previously discussed since 
G' is of smooth order a. The so-obtained probabilistic encryption scheme is 
described more precisely hereafter. 

Our parameter generation process is very similar to Naccache and Stern’s. 
One chooses two B-smooth integers u and v of product a such that log a = 
0(log £ n) with c > 0. For practical use, one sets as in [8] [log 2 a] = 160 and 
B « 2 10 . Prime numbers p and q are then generated according to equations 1 
and 2. The choice of b is arbitrary in Z*: we recommend a small constant value 
such as b = 1 which renders point additions easier. The base point G can be 
chosen of maximal order p = lcm (p + 1, q + 1), computed separately mod p and 
mod q, and recombined at the very end by Chinese remaindering. 

Public key n, b, a, G. 

Private key ( p , q) or p = lcm(p + 1, q + 1). 

Encryption plaintext m £ Z CT , 

pick a random r < n, 
ciphertext C = (m + or) • G. 

Decryption compute u = (p/a) ■ C = m ■ G' . 

Use Pohlig-Hellman and baby-step giant-step 
to compute the discrete log of u in base G' . 

Decryption can also be performed over E p ( 0, b) and E q ( 0, b): in this case, one 
separately computes m mod u and to mod v. The plaintext to is then recovered 
modulo cr by Chinese remaindering. 

2.2 Security Analysis 

Clearly, inverting the encryption function of our scheme is equivalent to com- 
puting residuosity classes on E n ( 0, b), and the semantic security is equivalent to 
the decisional version of the same problem. By analogy with [8], we conjecture 
that these two problems are actually intractable. 

Note also that the scheme can be made deterministic by setting r = 0 in 
the encryption function. We therefore have C = m ■ G like in Vanstone and 
Zuccherato’s cryptosystem [23]. This variant is of moderate interest as it looses 
semantic security. 

4 alternatively, one can pick random coordinates for R and then select the coefficient 
b as b = Ry — R%. mod n. During decryption, b is recovered by b = Cy — C%. In this 
event, the scheme relies on a family of curves, see [5]. 
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2.3 Implementation Aspects 

We analyze briefly the performances of our encryption scheme. Note first that 
since E p (0, 6 ) and E q ( 0, b ) are cyclic and G chosen of maximal order, the cipher- 
text space is E n (Q, b) itself. The expansion rate is therefore p = 2 [log 2 n] / [log 2 a~\ 
i.e. twice the one of Naccache and Stern’s cryptosystem. This is due to the fact 
that the ciphertext has two coordinates modulo n. For instance, we have p « 10 
when [log 2 n] = 768 and [log 2 a] = 160. One way to increase the encryption 
bandwidth is to transmit only one ciphertext coordinate. Transmitting C y , G x 
is recovered before decryption by extracting the cubic root of C 2 — b mod n. 
Transmitting C x , decryption leads to exactly four message solutions: necessar- 
ily, 2 redundant bits have then to be included in the plaintext to eradicate any 
decryption ambiguity. This is similar to Rabin encryption [14] . 


3 Elliptic Curve Okamoto-Uchiyama Encryption 

In this section, we show how to extend the setting defined in [9] to the one of 
elliptic curves. In particular, the technique we suggest addresses an open question 
described in [10]. 

It is known that curves E p (a,b) over F p which have trace of Frobenius one 
(they are said to be anomalous) present the property that computing discrete 
logarithms on them is very easy. To be more precise, such an extraction requires 
a linear number of field operations over F p , i.e. 0(log 3 p) bit operations. This 
was studied by several authors [20,19,22]. Okamoto et al. [10] attempted to 
take advantage of this feature to design an identity-based cryptosystem, but 
due to | E p (a,b)\ = p, we believe that this property can hardly be captured 
so directly into a properly secure encryption scheme. Instead, we extend the 
discrete logarithm recoverability property to a p-subgroup of E p 2 (o, b) so that 
the projection onto F p gives the twist of an anomalous curve. This is done as 
follows. We begin by stating a few useful facts that derive from Hasse’s theorem. 

Lemma 3. Let E p (a,b) : y 2 = x 3 + ax + b mod p be an elliptic curve of order 
| E p (a, 6)| = p + 1 — t where |i| < 2 ^fp. Then for any integers a, b such that a = a 
mod p and 6=6 mod p, we have 

\Ep*{a, 6)| = {p+l-t)(p+l + t) . 

The curve E p 2 (a, 6) is usually said to be a lift of E p (a, 6) to F p 2 . One consequence 
of lemma 3 is that if E p (a,b) has p+ 2 points, then any lift E p 2 (a. 6) must be of 
order p(p + 2). 

Lemma 4. Let E p (a,b ) be an elliptic curve over F p of order p + 2. Provided 
thatp= 2 (mod 3), any lift E p 2 (a,b) of E p (a,b) to F p 2 is cyclic. 
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Proof. Let E p 2 (a, b) be a non-cyclic lift of E p (a,b). From Ruck’s theorem [17], 
we know that E p 2(a, b ) = Z<q x Z<j 2 with di\d2, d\ > 1 and di\p 2 — 1 . By virtue 
of lemma 3, we must have did2 = p(p + 2). Therefore, d\ divides 

gcd(p + 2,p 2 - 1) = gcd(p + 2,p - 1) = gcd(3,p — 1) , 


which implies d\ = 3 or 1. Since d\ / 1 and p = 2 + 3rj for some integer p, we 
get the contradiction 3| (1 + 3 p). Hence E p z(a,b) must be cyclic. □ 

In what follows, p denotes a large prime verifying p = 2 (mod 3), E p (a. b) stands 
for a curve of order p + 2 and E p 2 (o, b) is some lift of E p (a, b) to F p 2 . We note 

E\p\ = (p + 2). E p2 (a,b) 


the (cyclic) p-torsion subgroup formed by the points of order dividing p, i.e. 
points of order p together with the point at infinity O p 2 of E p 2 (a, b). We state: 

Theorem 1 . There exist a polynomial time algorithm that computes discrete 
logarithms on E[p] with complexity at most 0(log 3 p). 

Proof. Since E\p\ is the group of p-torsion points of E p 2(a, b), we could apply 
Semaev’s algorithm [20] stricto sensu. We rather rely on a (simpler) elliptic- 
log-based approach similar to Smart’s [22] as follows. Observe that any point P 
belongs to E\p] if (and only if) it is a lift of O p £ E p (a, b). wherefrom E[p] is the 
kernel of the reduction map P 1 — > P mod p. Hence the p-adic elliptic logarithm 
(see [21, p. 175]) 

ip p (x,y) = — mod p 2 

y 

is well-defined and can be applied on any point of E\p\. ip p being actually a 
morphism, if P = m ■ G stands for any arbitrary points P,G £ E\p\, we have 


MP) 

MG) 


mod p , 


provided that G ^ O p 2 . The main computational workload stands in the modular 
divisions which require at most 0(log 3 p) bit operations. □ 


Note that other approaches such as Satoh and Araki’s [19] or Ruck [16], 
in application to our case, would have led to somehow equivalent computation 
methods. 


3.1 Description 

This section shows how to realize an analogue of Okamoto and Uchiyama’s en- 
cryption scheme [9] on elliptic curves, in the sense wanted by the same authors 
in [10] . We make use of our previous results as follows. 

One first chooses two large primes p (with p = 2 (mod 3)) and q of bitsize k, 
and sets n = p 2 q. The user then picks integers of. b p £ F p such that E p (a p , b p ) is 
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of order p + 2, using techniques such as [7]. He then chooses some lift E p 2 (a p , b p ) 
of E p (a P , b p ) to F p 2 , as well as a random curve E q (a ij, b q ) defined over F g . Using 
Chinese remaindering, the user combines E p 2(a p ,b p ) and E q (a^,b q ) to get the 
curve E n = E n (a,b) where a, b g Z„. Finally, the user picks a point G 6 E„ 
of maximal order lcm(|£ p 2 |, \E q \) and sets H = n ■ G. Our cryptosystem is as 
depicted below. 


Public key 
Private key 
Encryption 


n = p 2 q , E n , G of maximal order, H = n 


plaintext m < 2 k ~ 1 
pick a random r < 
ciphertext C = m ■ 


Decryption compute m = 


Vv(Cp + 2)-c9 
W((p+2)-G) 


mod p . 


Our system is very similar in spirit to Okamoto and Uchiyama’s encryption as 
originally discovered. For this reason, most properties of their scheme still apply 
to ours: in particular, chosen ciphertext security can be easily shown equivalent 
to factoring n = p 2 q. The proof of this fact is a straightforward adaptation of 
Okamoto and Uchiyama’s, see [9]. Besides, one-wayness and semantic security 
remain effective, except that they rely on problems related to high (p-degreed) 
residuosity on E n instead of Z*. The scheme also features additive homomorphic 
properties for short messages. 


4 Elliptic Curve Paillier Encryption 

In this section, we refine the previous encryption technique to meet more ad- 
vanced security requirements: we show how to construct an efficient yet natural 
embodiment of Paillier’s cryptosystem [11] on elliptic curves. We first extend the 
setting of section 3 to curves defined over Z n 2 where n = pq. Suppose E p 2 (a p , b p ) 
(resp. E q 2 (a q , b q )) is some lift of a curve of trace p+2 ( resp . q+ 2 ) defined over F p 
(resp. F g ). Considering E n 2 (a, b) as the Chinese remaindering of E p 2 (a p , b p ) and 
E q 2(a q , b q ) (hence it is defined over the ring Z n 2 ), it is easily seen that E n 2(a, b) 
is of order n/i where 


p = p(n) = lcm (p + 2, q + 2) . 

We extend theorem 1 up to the present setting as follows. Noting 
E[n]=p-E n 2(a,b) , 


we state: 

Corollary 1 (of theorem 1 ). There exist a polynomial time algorithm that 
computes discrete logarithms on E[n] with complexity 0(log 3 n). 
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Proof. This is easily proven, either by applying theorem 1 twice on curves _E[p] — 
E[n ] mod p 2 and E[q] ~ E[n] mod q 2 and then by Chinese remaindering local 
logarithms, or more compactly by defining over E[n] an n-adic elliptic logarithm 


Provided that P = 
computing 


V> n(x,y ) 

II 


mod n 2 . 


• G for P,G £ E[n] and G f O n 2 , 


m 


MP ) 

1pn(G) 


mod n . 


retrieve m by 


□ 


Here is how the cryptosystem is initialized: the user chooses two large primes 
p and q (with p = q = 2 (mod 3)) and sets n = pq. He then picks up integers (If, 
b p e F p and af, b q £ such that E p (af , b p ) is of order p+ 2 and E q (af, b q ) is of 
order q + 2. Lifted curves E p 2 (a p , b p ) and E q ^{a q , b g ) are chosen and combined 
to get E n 2 = E n 2 ( a , b). Finally, a base point G £ E n 2 is chosen of order divisible 
by n, possibly of maximal order n/i. 


Public key n = pq, E n 2 , G. 

Private key p = lcm (p + 2,q + 2) or equivalently (p, q). 


Encryption plaintext m £ l n , 

pick a random r < n, 
ciphertext C = (m + nr) ■ G 

• V’n(M-C') 

Decryption compute m = — — — mod n . 

V’n(M-G) 

Note that, due to lemma 4, the ciphertext space covers the entire curve 
E n 2 i.e. , any point of E n i is the image of some plaintext. We therefore have 
a maximal encryption bandwidth. This is obtained thanks to the fact that all 
curves we work with are cyclic. 


4.1 Security Analysis 

Here again, the very high resemblance of our encryption scheme with [11] implies 
that most cryptographic features happen to be identical in the two cases. The 
one-wayness of our scheme is equivalent to the problem of computing residuosity 
classes over E n 2 which, provided that n is hard to factor, we conjecture to be 
intractable 5 . Similarly, semantic security relates to the indistinguishability of n- 
residues of E n 2 , i.e. points belonging to E[p\ = n - E n 2 , from other points of the 
curve. We conjecture this problem to be intractable as well. 

Our scheme is clearly malleable, and as such, does not resist adaptive chosen- 
ciphertext attacks. We believe, however, that security enhancement techniques 
such as [12] could be applied mutatis mutandis to meet provable security at the 
strongest level NM-CCA2. 

5 this is similar to the Composite Residuosity Assumption over Z* 2 , see [11,12]. 
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4.2 Implementation Aspects 

Slight modifications of our encryption scheme may allow significant cost savings: 
a typical implementation speed-up is obtained by choosing a base point G of 
order na with a = a p a q , where 

a p \p + 2, a p J(q+ 2, a q \q + 2, a q J(p + 2, 


and [log 2 a] is fixed to 160 for practical use. The decryption process is then 
advantageously replaced by 


m = 


V’n(a-C) 

1>n(a-G) 


mod n 


where the main computational workload is now a single scalar multiplication 6 
by a short 160-bit constant. Chinese remaindering can also be used during de- 
cryption. 


4.3 Homomorphic Properties 

Our encryption scheme is (+, +)-homomorphic, i.e. an elliptic curve addition of 
two or several ciphertexts induces the implicit modular addition of the corre- 
sponding plaintexts. It also allows self-blinding, that is, provides the ability to 
publicly randomize a given ciphertext while conserving the correspondence with 
the initial plaintext. Finally, just like other known one-way trapdoor morphisms, 
the scheme provides random self-reducible encryption [3,18]. 

5 Conclusions 

This paper introduced three new probabilistic encryption schemes on elliptic 
curves over rings. The cryptosystems are based on three specific trapdoor mech- 
anisms allowing the recipient to recover discrete logarithms on different types of 
curves. More specifically, we showed how to design embodiments of Naccache- 
Stern, Okamoto-Uchiyama and Paillier discrete-log encryption schemes. Each 
provided cryptosystem is probabilistic and semantically secure relatively to the 
high residuosity problem associated with its curve type. We believe our work 
positively concretizes all previous research works on discrete log encryption in 
the elliptic curve setting. 
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6 the value of by (a • G) _1 mod n can be pre-computed and stored before decryption 
takes place. 
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Abstract. McEliece cryptosystem is a public-key cryptosystem based 
on error-correcting codes. It constitutes one of the few alternatives to 
cryptosystems relying on number theory. We present a modification of 
the McEliece cryptosystem which strengthens its security without in- 
creasing the size of the public key. We show that it is possible to use 
some properties of the automorphism groups of the codes to build decod- 
able patterns of large weight errors. This greatly strengthens the system 
against the decoding attacks. 


1 Introduction 

Since public-key cryptography was introduced in 1977 in the fundamental paper 
of Diffie and Heilman, it has taken an increasing importance in research as 
well as application fields. Many public-key ciphers have been proposed during 
the last twenty years; they rely on various difficult problems such as factoring 
numbers, computing discrete logarithms, solving knapsack problems. . . However, 
the conjugate development of computing power and efficient algorithms have 
made many of them insecure. A common point between the non-yet broken 
systems is that they remain dangerously linked with only two problems of number 
theory - the difficulty of factoring an integer and the difficulty of computing a 
discrete logarithm - and we are not protected from a theoretical breakthrough. 

McEliece proposed an alternative to such systems in 1978 [McE78]. It consists 
in a public-key cryptosystem based on error-correcting codes. Together with its 
Niederreiter [Nie86] version - of equivalent security [LDW94] - the original sys- 
tem based on the family of Goppa codes still resists cryptanalysis. The general 
security of the scheme relies on the inherent intractability of decoding a ran- 
dom code up to its error-correcting capability. The great advantage of systems 
based on error-correcting codes is the extremely low cost of their encryption and 
decryption procedures. It approaches the complexity of secret key encryption 
schemes. Furthermore, if by chance major breakthroughs were made in number 
theory problems, such systems would constitute one of the few possible alter- 
natives; therefore the study of their security is essential. The cost of a general 
decoding attack on these systems depends on the size of the chosen code and 
its error-correcting capability. The best known algorithm based on this method 
points out [CS98] that the size of the public key of the original system is becom- 
ing short regarding the increasing power of the computers. A safer step should be 

T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 585-598, 2000. 
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to take a larger key. Yet, in that case the huge size of key (more than 880kbytes) 
would be a major disadvantage for implementation on limited resource systems. 
In this paper we present a modification of McEliece cryptosystem which makes 
all decoding attacks infeasible without increasing the size of the public-key. 

The underlying idea results from a trade-off between the strong security of 
the system against structural attack and its much weaker security regarding 
decoding attacks. We allow ourselves to reduce the size of the space of public- 
keys weakening the system against structural attacks to increase the security 
of the system regarding the decoding attacks. This can be done by using to 
some property of the automorphism group of Goppa codes. Namely, whenever 
the Frobenius automorphism lies in the automorphism group of the code we 
can generate large sets of decodable error-words of a larger weight than the 
constructed error-correcting capability of the code. We show that whenever such 
sets are used in the system, the cost decoding attacks is significantly increased. 

2 McEliece Public-Key Cryptosystem 

In the family of public-key cryptosystems based on coding theory the one pro- 
posed by McEliece is the most widely considered. Namely, it is not only the 
first encryption scheme using coding theory ever proposed but it has also ever 
resisted to the attacks attempting to recover the secret key. 

Other McEliece-like systems using different families of codes have been struc- 
turally cryptanalysed [SS92] . The credit for its resistance can thus be given to the 
family of Goppa codes taken as the secret key space. Their poor structure pre- 
vents an attacker to find a way to reduce significantly the size of the key-space. 
However, the size of the public key has to be significantly large to avoid general 
decoding attacks. Even with such a constraint both encryption and decryption 
procedures for the system remain much faster than for RSA. 

2.1 Description of the Cryptosystem 

A linear binary code of length n and dimension A: is a linear subspace of Ff,' . It 
can be represented by a kxn binary matrix called generating matrix. Two codes 
Ci and C 2 of length n are said to be equivalent if there exists a permutation of 
the n coordinate places changing C\ into C 2 . 

The permutations of coordinate places sending a code C into itself form the 
automorphism group of the code C. 

Irreducible Goppa Codes The secret key space is a family of irreducible Goppa 
codes [MS77] pp. 338. The receiver must thus consider some notions of finite 
fields algebra. Namely, in the construction of a Goppa code r(L,g) [Gop70], we 

1. a finite field F 2 ™ with 2 m elements. F 2 >» is the support field of the code, 

2. a labeling L of F 2 ™. L is called generating vector of the code, 

3. an irreducible polynomial g over F 2 ™ of degree t. g is called generating 
polynomial of the code. 
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Properties Every irreducible Goppa codes r(L,g) has a fast polynomial time 
decoding algorithm [Pat75] up to its constructed error-correcting capability. The 
error-correcting capability of the codes is lower bounded by t, the degree of the 
generating polynomial, that is any error of weight less than t occurring on a 
codeword can be corrected. 

Key Space To construct the scheme one takes the family Q of irreducible Goppa 
codes of length n = 2 m , dimension k and error-correcting capability t. The 
cardinality of Q is almost always equal to the number of irreducible polynomials 
of degree t over the finite field with 2 m elements that is approximately 2 m /t. 
With the original parameters, n = 1024, k = 524, t = 50, the size of the space 
is around 2 496 . 

Cryptosystem It has the following form: 

1. Private key: a Goppa code r(L,g) randomly picked up in the family Q, a 
random kxk non-singular binary matrix S, and a random nxn permutation 
matrix P. 

2. Public key: the product G' = SGP, where G is a generating matrix for 
r(L,g). 

3. Encryption: let x be the fc-bit message to be encrypted, the sender computes 
x' = xG' + e where e is a n-bit error-vector of weight t. 

4. Decryption: the receiver computes x'P~ x = xSG + eP -1 , and then recovers 
xS by using the fast decoding algorithm of r(L,g). Since S is non-singular 
the receiver recovers x. 

The security of the system depends on the difficult problem of decoding a 
code up to its error-correcting capability. 

Complexity of Encryption-Decryption This encryption scheme has an extremely 
low complexity compared to the RSA. Namely, [Can96] 

- in the encryption procedure we can take for granted that the cost of gener- 
ating a random word of length n and weight t is negligible compared to the 
cost of a matricial product. Hence the work factor for encryption is 

W c = nk/2 

— by using the Euclidian algorithm -which is not the most efficient but whose 
complexity is the easiest to evaluate - to make the decoding the work factor 
for decryption is: 


W D » 3 mnt + 4 mV + k 2 / 2 

decoding algorithm 

Originally Goppa codes of length 2 10 dimension 524, and degree of the gen- 
erator 50 are taken. This gives: 
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— Number of binary operations per information bit for encryption: 

W c /k = 512, which is smaller than the 2402.7 binary operations per infor- 
mation bit required in the RSA-1024 encryption procedure. 

— Number of binary operations per information bit for the decryption: 

W D /k = 5101.7, which is much smaller than the 738 112.5 binary operations 
per information bit required in the RSA-1024 decryption procedure. 

With such parameters the system runs more than 100 times faster for decryption 
than the RSA-1024 [CS98]. 

However the system has three main drawbacks: 

1. the transmission rate is low: k/n that is 51 percent in this case. Some at- 
tempts have been made to increase the transmission rate. 

2. the size of the public key has to be huge: kn bits, approximately 500 Kbits. 
If keys are smaller the scheme does not resist to decoding attacks. 

3. encrypting the same message twice is recognizable and the plaintext can be 
recovered straightforward. 

Note that by using the Niederreiter variant [Nie86] of the system, we can com- 
pletely eradicate the problem of encrypting the same message twice. Moreover 
it allows to increase the transmission rate and to halve the size of the public-key 
without reducing the security of the system [LDW94] 

2.2 Attacks on the System 

There are two main approaches to cryptanalyse the system. They rely on two 
separate difficult problems. 

1. The first one consists reconstructing a decoder for the code generated by 
the public-key G' by studying its structure. A such approach is denoted 
structural attack. 

From the very construction of the system, the code C' generated by the 
public key G' is equivalent to T(L, g). The attack consists in enumerating 
the codes in the family Q to find a code T € Q which is equivalent to 
C' . Since equivalence classes of Goppa codes are constructible [Gib91] one 
can reduce the cost of the attack by examining a single element in each 
equivalence class. Yet the equivalence classes have a too small cardinality 
to decrease significantly the cost of the attack. For instance if we take the 
original parameters, - t = 50, and n = 1024 - there are 2 496 irreducible 
polynomials of degree 50 over F 2 io, and the equivalence classes have at most 
2 30 elements. Finding a code equivalent to C implies thus to explore on 
average more than 2 466 codes. This remains largely beyond the capabilities 
of the most powerful computers. 

Once r equivalent to C' has been found, one recovers the permutation be- 
tween r and C' by applying for instance the Support Splitting Algorithm 
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2. The second approach consists in decoding the intercepted ciphertexts m' 
relatively to the public code C' generated by the public-key. It is called 
decoding attack. 

Since r(L,g) is equivalent to C' both codes have the same error-correcting 
capability t and the equation x' = x + e, x £ C has a unique solution 
(x, e) with e of weight less than t. The cost of the attack depends only 
on the parameters of C' , its length, its dimension and its error-correcting 
capability. It implies that the parameters of the system have to be chosen 
very carefully and large enough. For this reason, the original parameters 
given by McEliece (length 1024, dimension 524, error-correcting capability 
t = 50) are becoming rather small for the state of art [CS98]: decoding one 
word takes on average 2 64 binary operations. The next ’’safer” step would 
be to take n = 2048 for the code length. However the size of the key would 
become really prohibitive, for implementation on limited resource systems. 

Whereas efficient decoding attacks were developed, the investigations con- 
cerning the reconstruction of a decoder remain rather scarce. In the general 
instance of the system there is no better way than exhaustive search on the key 
space - reduced modulo the equivalence relation -, testing the equivalence of each 
code with the code generated by the public-key. 

One could replace the Goppa codes by any other family of codes with a 
fast polynomial-time decoding algorithm. Many codes are better than Goppa 
code regarding the decoding attacks. However the structure of theses families 
make the system insecure against structural attacks. For instance if one replaces 
the family of Goppa codes with the family of generalized Reed-Solomon codes 
or the family of concatenated codes, the recovering of a decoder can be done 
straightforward. [SS92, Sen98]. 

3 Tower Decodable Patterns 

Taken randomly Goppa codes have a similar structure to random codes. In 
particular their automorphism group is usually trivial. Yet, Goppa codes with 
non trivial automorphism group are constructible: if the generating polynomial 
has coefficients in a subfield F 2 « of support field F 2 ™ , then the automorphism 
group of the code is generated by the Frobenius automorphism. The attacker can 
detect this property by applying the Support Splitting Algorithm to the public 
key. This property was used to derive an almost realistic structural attack on the 
McEliece parameters, whenever the generating polynomial has binary coefficients 
[LS98]. 

Although such a property weakens the system against structural attack by 
reducing the size of the secret key space, we show that it can equally be used 
to strengthen the system against decoding attacks. By using properties of the 
automorphism group the conceiver can build sets of decodable patterns of large 
weight. 

Moreover, from a cryptographic standpoint this set should satisfies some 
preliminary conditions: it must be large enough to avoid exhaustive search, the 
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error words must have a weight larger than the error-correcting capability of the 
code. If such sets are used in place of the error vectors added in the original 
system, the cost of decoding attacks is greatly increased without changing the 
size of the public key. 

3.1 Automorphism Group of Goppa Codes 

Suppose the support field is F 2 ™, and let L = (an,... , a n ) be a labeling of 
the support field. Let us consider the Goppa code r(L,g) where the generating 
polynomial g has coefficients in a subfield F 2S of F 2 m . Then we have 

Proposition 1. The automorphism group of T(L, g) contains the group gener- 
ated by the Frobenius automorphism a : z z 2 of F 2 ™ /F 2 « . 

The proof can be derived from Moreno’s theorem [MS77] pp 347. 

This means that the code r(L,g) is invariant under the action of the Frobe- 
nius automorphism. If any word c of length n is labeled by L, we have 

V c = (c ai , . . . ,c a J e r{L,g% <t(c) = (c CT(ai) , . . . ,c CT(Qn) ) e r(L,g) 

3.2 t- Tower Decodability 

Definition 1. Let £ be a set of words of length n = 2 m , let F 2 s be a subfield of 
F 2 m and o : 2 i— > z 2 the Frobenius automorphism of the extension field. We say 
that £ is t-tower decodable if 

1. for all e £ £ , there exists a linear combination 

m/s - 1 

E= E ***&• e * eF 2 


having a Hamming weight less than t, where cr(e) denotes the action of the 

Frobenius on the word e, 

2. the knowledge of E enables the receiver to recover e in £ in a unique way. 

In other words £ is a t-tower decodable set if there exists a linear combination 
of the powers of the Frobenius automorphism a that is a one-to-one mapping 
from £ into the vectors of length n and weight less than the correcting capability 
of the Goppa code. 

The second condition in the definition is fundamental. It ensures that given 
a pattern we can invert all the operations to recover the original vector e. 

The first condition is simple to achieve: Let us take £, the set of all the binary 
words e of length n satisfying 


<r i ( e ) = ° 



Strengthening McEliece Cryptosystem 591 


However it does not satisfy the second condition. Namely every word in £ is 
mapped onto the null word. 

t-tower decodability is intimately linked with classical decodability up to t 
in the family of Goppa codes with a non-trivial automorphism group : 

Proposition 2. Let r(L. g) be a Goppa code with generating vector of degree t 
over a subfield F 2 s of the support field F 2 m, then any error vector of a t-tower 
decodable set £ is correctable in r(L,g). 

Proof. Let x' = x + e where a; is a codeword in r(L,g) and e e £■ By def- 
inition of £ there exist a linear combination of the power of the Frobenius 
E = Yli= n _1 e i (T *( e ) having weight less than t. 

From Sect. 3.1 the automorphism group of r(L,g) contains a. Thus, the 
linear combination x' = X^Lo* _1 € i a ’( x ) is also i n the code r(L,g). 

Since X^o* -1 e i< jl ( x ) = x'+E, by applying the decoding algorithm of T(L, g) 
one recovers E. From Definition 1, the error- vector e can be recovered in a unique 
manner. □ 


3.3 Modified Cryptosystem 

Space of Secret Keys Let g\ be an irreducible polynomial of degree t\ over F 2 ™ . 
gi is called hiding polynomial. Let Q be the family of the Goppa codes F(L, gig) 
where g describes the family of irreducible polynomials of degree t over a subfield 
F 2 « of F 2 ™. 


Private Key Not changing from the original scheme, it is made of 3 parts: 

— a k x n-generating matrix G of a code r(L,gig) randomly chosen in Q 

— a n x n permutation matrix P, 

— a k x k non-singular matrix S. 

Public Key To the difference of the original scheme it consists in two parts 

— the product G' = SGP, 

— the way to generate a t-tower decodable set £ . 

Encryption Let x be the fc-bit message that has to be transmitted. The sender 
chooses randomly a word e in £, then sends x' = xG' + e. 

Decryption The receiver first computes x'P~ x = xSG + eP -1 . 

Since e is in the t-tower decodable set £, from Definition 1 there is a linear 
combination Xi=Q S_1 e i (jl ( e ) of weight less than the error correcting capability 
f of r(L,g). 

The receiver computes 

m/s - 1 m/s- 1 m/s - 1 

£ e i a i (x'P~ 1 ) = e i a i (xSG)+ £ ^(eP” 1 ) 
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Note that xSG is a word in the code r(L,gig). However, by construction, 
r(L,gig) is a subcode of r(L,g). Therefore we can consider that xSG is a 
word in r(L,g). Moreover, since a is in the automorphism group r(L,g) by 
construction, e i<x l {mSG ) is also a codeword of T(L, g). Since P -1 is a 

permutation we have 

E w*(eP-‘)= ^ E Wfejj.p - 1 

which is a decodable pattern in r(L,g). The receiver gets thus the vectorP = 
(X^Lo S_1 °f weight less than t. E can thus be recovered by applying 

the decoding algorithm of r(L,g). The knowledge of E provides a unique way 
to find e. 

Complexity of the Scheme The complexity of the encryption is exactly the same 
as in the original system, since consisting in matricial products and picking up 
a random vector. 

The decryption requires additional operations. However, the cost strongly 
depends on the structure of the i-tower decodable set £. 

Conditions on £ From a cryptological point of view, the t- tower decodable set 
must satisfy the following conditions: 

1 . £ has to be a set of words of weight larger than the error-correcting capability 
of the code. This conditions strengthens the system against decoding attacks, 

2. £ has to be large enough to avoid enumeration. Namely, if an exhaustive 
search on the possible error- words were feasible the initial message x would 
be easily recovered, 

3. the way to generate £ must be public, and must not reveal information that 
could help an attacker. 

Importance of the Hiding Polynomial g\ We introduced the concept of hiding 
polynomial gi to satisfy the third condition on £. If we used for Q the family of 
irreducible Goppa codes with generating polynomial over F 2 <= , by applying the 
support splitting algorithm to the public key G' any attacker would be able to 
recover a. Then one could apply linear transformations of the Frobenius auto- 
morphism and reduce the problem of finding the error vector e to the problem 
of finding the vector E of lower weight. 

The codes r(L, gig) are subcodes of the codes T(L, g) with a large structure. 
The introduction of the hiding polynomial scrambles the structure of the code 
rendering the automorphism group of r(L,gig) trivial. Moreover, the hiding 
polynomial gi can be published since its knowledge does not give any exploitable 
information. 
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4 Extension of Degree 5 

In the previous section we introduced the theoretical concept of tower decod- 
ability and how to use it in cryptography. In practice however, it is uneasy to 
build t- tower decodable sets satisfying the cryptological requirements. Therefore 
we focus on the example of extensions of degree 5. They not only turned out to 
be suitable from a cryptological viewpoint but they also intervene in the original 
parameters of the system. When using such f-tower decodable sets we show that, 
without increasing the size of the public-key, the security of the modified system 
is increased. 

4.1 Construction of a t - Tower Decodable Set 

We consider the field extension F 2 5 S of F 2 s , and the corresponding Frobenius 
automorphism a : 2 i— > z 2 . Since 5 is prime, the orbits of the elements of F 2 5 s 
have size 5 except the orbits of the elements of F 2 s of size 1. Hence there are 
exactly N§ = (2 5s — 2®)/5 orbits of size 5. Let L = (ai, . . . , a n ) be a labeling of 
the field F 2 5 S . From now on, we suppose that any word of length n is labeled by 
L. 

The action of the Frobenius automorphism a on e corresponds exactly to the 
action of the automorphism on the coordinates of e: if e = (e Ql , . . . , e a „) then 
°{e) = (e a(Ql) ,... , e<r(a n ))- 

We define a t-tower decodable set with respect to the Frobenius automor- 
phism as follows, 

Definition 2 . Let £ be the set of all the possible words of length n = 2 5s con- 
structed this way: 

1. one chooses randomly p orbits out of the N$ orbits of size 5 in the generating 
vector L, where p satisfies p = \t/2\ 

2. puts randomly 3 bits on every chosen orbit. 

3. puts the coordinates to zero on the remaining positions. 

The set £ contains words of weight 3 p = 3 |_f/2j . The construction of £ relies 
on the knowledge of the position of the orbits in the labeling L of the field. 

Proposition 3. Let £ be the set of words previously defined, we have 

1. the cardinality of £ is 1(P • (^ 5 ), 

2. £ is t-tower decodable. 

Proof. There are (^ 5 ) possibilities in choosing p orbits of size 5 out of Ns, Once 
these orbits have been chosen, there are ( 3 ) = 10 possibilities in choosing three 
bits out of 5, proving the first assertion. 

Let e = (e ai e« n ) be a word in the set £. We reorder the labeling L of 
the support in such a way that e is written 


e = (ei, e- 2 , ... , ejv 5 , 0, ... ,0) 
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where the e* = (e at , e CT ( ai ) , e „2 ( a . ) , e CT 3 ( a . ) , e CT 4 ( ai ) ) denote the subvectors of length 
5 of e labeled by the orbit corresponding to the element a*. By construction of 
£, the e t have either weight 0 or weight 3. 

After the reordering, the action of the Frobenius automorphism cr on the 
word e becomes a combination of cyclic shifts on the vectors e*. Therefore all 
5-bit patterns of weight 3 can be divided into two classes /i and f 2 up to the 
Frobenius shifting equivalence: 


Type 1 

h = (moo) 

a(h) = (OHIO) 

a 2 (h) = ( 00111 ) 

a 3 (/i) = (10011) 

a 4 (A) = (11001) 


Type 2 

h = (noio) 

a(f 2 ) = (01101) 
a 2 (/ 2 ) = (10110) 
a 3 (/ 2 ) = (01011) 
c 4 (/ 2 ) = (10101) 


The patterns /i and / 2 play dual roles. There exist linear combinations of 
/i, / 2 and of their Frobenius images that enables one to reduce the weight of 
one pattern from 3 to 1 preserving the weight of the other. The average weight 
of the pattern is thus decreased. Namely we have 

fi + <r(fi) + a 2 (h) = (10101), h + o-(/a) + ^(/ 2 ) = (00001) 

and 

fi + ^ 2 (/i) + a 3 (/i) = (01000), h + ^ 2 (/ 2 ) + a 3 (/ 2 ) = (00111) 

Whenever one has the image / + a(f) + a 2 (f) or / + a 2 (f) + a 3 (f) of a 
pattern / of weight 3 , / is recoverable in a unique way: 

1. from the weight of the obtained pattern one gets the type of the pattern, 
either type 1 or type 2, 

2. from the positions of the bits on the obtained pattern, one gets the original 
one. 


To prove that £ is t- tower decodable, it is sufficient to prove that one of the 
linear combinations e + a(e) + a 2 (e) and e + er 2 (e) + cr 3 (e) has weight less than t. 
Suppose now that e is made of pi patterns of type 1 and p 2 patterns of 2. Then 
<r(e) + cr 2 (e) has weight 3pi +p 2 , and e + <r 2 (e) + cr 3 (e) has weight pi + 3 p 2 . 
Since by construction p = p 1 + p 2 = |_f/2j , we have 

2(pi +p 2 ) < t 

This implies in particular that at least either 3pi + p 2 or p\ + 3 p 2 is less than t. 
Hence at least one of the images of e by the previous combinations has weight 
less than t. 

For instance if e + a 2 (e) + cr 3 (e) has weight less than t then by using the 
property of one-to-one correspondence between the patterns of weight 3 and 
their image by this transformation, the word e can be recovered entirely. 

Thus £ is t-tower decodable. □ 
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Remark 1. The optimal parameters for £ are 2 p = t. In this case each word in 
£ has weight 3t/2. With this method one can decode up to one half beyond the 
error-correcting capability t. 

McEliece Parameters The set considered is the set of irreducible polynomials 
over F 2 io and error-correcting capability 50. Since m = 10, we have s = 2. The 
number of orbits of size 5 is 204. By taking the parameter p = 25, then the set £ 
generated is composed of 2 188 words of weight 75. Still it is negligible compared 
to the 2 284 patterns of weight 50 but remains large enough to avoid enumeration. 

4.2 Application to the Cryptosystem 

Section 3.3 was dedicated to the modification of McEliece system by using the 
general properties of t-tower decodability to strengthen the system against de- 
coding attacks. In this section we apply this modification with the t-tower de- 
codable sets previously defined over extensions of degree 5. In particular we show 
that it is possible to publish how to generate £ without giving the possibility for 
an attacker to reduce the complexity of the attacks on the system. 


Parameters of the System 

Family of Goppa Codes As a hiding polynomial we take an irreducible polyno- 
mial gi of degree 2 over F 2 s s . Let L be a labeling of the field F 2 g,, , we consider 
the family Q of Goppa codes T(L, g 1 g) where g has degree t and coefficients over 
F 2s . 

Private Key It consists in 3 parts: 

— a k x n-generating matrix G of a code picked up randomly in Q, 

— a n x n-permutation matrix P, 

— a non-singular k x fc-matrix S. 

Public Key 

1. the matrix G' = SGP, 

2. the positions of the N 5 orbits of cardinality 5 in the generating vector L. 

Note that if the positions of the orbits are in some way canonical the size of 
the public-key can be made as low as the size of G' . 

Encryption-Decryption Since the positions of the orbits are public, the sender 
can generate the set £ of f-tower decodable words described in the previous 
section. 

Encryption Let x be the k- bit plaintext one has to transmit, the sender chooses 
randomly a word e in £: he first picks up \t/ 2J orbits out of the N 5 possible and 
puts randomly 3 bits on each orbit. The corresponding ciphertext is x' = xG'+e. 
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Decryption The receiver computes x'P~ x = xSG + eP -1 . Since permuting the 
coordinates does not change the structure of the automorphism group, we can 
consider that eP -1 is still in £. It was shown in 3 that E is t- tower decodable, 
therefore by applying the right linear combinations of the powers of the Frobenius 
automorphism, the receiver first recovers eP -1 , then recovers x. 

To evaluate the relative cost of the procedure compared to the original 
scheme, we have to separate it into different steps. 

1. First one has to compute the two linear combinations x' x = x'+a(x')+a 2 (x r ) 
and x' 2 = x' + a 2 ( x') + o 3 (x'). Let s n be the cost of computing the action 
of cr on a vector of length n, and let a n be the cost of xoring two words of 
length n. Overall the cost is 3(,s n + a n ). The action of a is the product of 
cyclic shifts thus we neglect the cost of this step compared to the complexity 
of the decoding part. 

2. Decoding part: let A t = 3mnt + 4 m 2 f 2 be the cost (given in 2.1) of decod- 
ing one word corrupted by a t-bit error-vector. In the original system the 
decoding part costs exactly A t operations. In this modification the cost is at 
most 2 A t and can be greatly reduced. Namely we first try to decode x\ and 
only if the decoding fails then we decode x' 2 . Thus the additive cost of the 
procedure to recover E from x\ or x' 2 is on average at most l/2T t . 

3. The cost to recover e from E is a few times the cost of running over the 
n positions of the word, so it can be neglected compared to the cost of the 
decoding procedure. 

Thus if D is the cost of the decryption in the original scheme, and D x is the cost 
in time of the decryption in the modified scheme we have 

D\ < D+l/2A t 

By taking the original parameters - n = 1024, t = 50 - the number of binary 
operations per information bit for decryption becomes: W D /k = 7521.5, which 
remains much smaller than the 738 112.5 operations per information bit required 
for the RSA-1024 decryption. 

The memory cost is identical in both schemes. 


Security of the System In the conception of the scheme the positions of the 
orbits of size 5 in the support of the code are public stuff. It does not jeopardize 
the scheme since it does not provide a potential attacker with exploitable in- 
formation. Given indeed this information it seems difficult to recover additional 
properties enabling to recover the Frobenius automorphism. This would imply 
that given the public code one could build a larger code from which we only 
know the non-ordered orbits through its automorphism group. 

By considering the McEliece parameters we show that this system provides 
a better security against decoding attacks than the original scheme. 

McEliece Parameters If Q is the set r(L,g x g) where L is a labeling of F 2 io and 
g runs over the polynomials of degree 50 over F 2 2 then 
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- the size of Q is approximately 2 95 , 

- the size of the public key is of the same order as in the original system. 
r(L,gig) being a subcode of r(L,g) the size a generating matrix for 
r(L,gig ) will be slightly smaller than the size of a generating matrix for 
r(L,g), 

- £ is a family of 50-tower decodable codewords of weight 75 and has cardi- 
nality 2 188 . This is very few compared to the set of patterns of length 1024 
and weight 50 having cardinality 2 284 that are decodable, but still remains 
largely out of range for the computers. 

In that case applying the best algorithm for decoding attack [CS98] gives 
roughly 2 91 binary operations compared to the 2 64 involved for breaking the 
original system. 

5 Conclusion 

In the paper we showed how to use the automorphism group of Goppa codes 
to increase the security of the McEliece system against decoding attacks. This 
approach can be easily transferred to its Niederreiter type version, the security 
of which is the same. Of course the specific structure we require from the fam- 
ily of Goppa codes enables any attacker to greatly reduce the complexity of a 
structural attack compared to the cost of a structural attack on the original 
version. However, in the example developed above concerning the extensions of 
degree 5 the size of the family of codes to enumerate remains largely beyond 
the capabilities of the computers. The security is thus the result of a trade-off 
between the two kinds of attacks. 

Such an approach can be generalized to any finite field extension with char- 
acteristic 2. Still, in that case the problem is to find t-tower decodable sets 
satisfying the simple cryptographical constraints such as being a large set of 
large-weight words. The ideal would be to find a decodable set whose words 
have weight larger than half of the code-length. Decoding attacks would be then 
completely obsolete, and as a consequence, the main problematic factor which is 
the large size of the public-key would vanish. Gabidulin, Paramonov and Tret- 
jakov proposed such a cryptosystem based on error-correcting codes [GPT91] 
with very nice properties. This system is unbreakable with a decoding attack 
and has a very low key size (less than lOkbits). Unfortunately the codes in the 
key space have so much structure that in its first version it was efficiently broken 
by K. Gibson [Gib95]. 
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Abstract. There have been many proposals in recent years for password- 
authenticated key exchange protocols. Many of these have been shown 
to be insecure, and the only ones that seemed likely to be proven secure 
(against active adversaries who may attempt to perform off-line dictio- 
nary attacks against the password) were based on the Diffie-Hellman 
problem. In fact, some protocols based on Diffie-Hellman have been re- 
cently proven secure in the random-oracle model. We examine how to 
design a provably-secure password-authenticated key exchange protocol 
based on RSA. We first look at the OKE and protected-OKE protocols 
(both RSA-based) and show that they are insecure. Then we show how 
to modify the OKE protocol to obtain a password-authenticated key ex- 
change protocol that can be proven secure (in the random oracle model) . 

The resulting protocol is very practical; in fact the basic protocol requires 
about the same amount of computation as the Diffie-Hellman-based pro- 
tocols or the well-known ssh. protocol. 

1 Introduction 

Consider the following scenario: Alice and Bob share a short secret (say, a 4 digit 
PIN number or a 6 character password) that they wish to use to identify and 
authenticate each other over an insecure network (say, the Internet). They do 
not carry any other information with them. Of course, neither wants to reveal 
the secret to the other until the other has revealed his/her own knowledge of the 
secret. In fact, neither wants to reveal anything that could be used to verify the 
secret (such as a one-way function applied to the secret) since the secret can then 
be found by anyone using a dictionary attack (by simply iterating through the 
relatively small number of possible secrets, applying the one-way function to each 
of them, and comparing each result to the transmitted value). So how do Alice 
and Bob authenticate themselves? In general, Alice and Bob will want to not 
only authenticate themselves, but set up a secure channel between themselves. 
For this they need a cryptographically strong shared session key. So a variation 
of the question above would be: how do Alice and Bob bootstrap a short secret 
into a secure strong secret? 

This problem, which we call password- authenticated key exchange, was first 
proposed in Bellovin and Merritt [BM92]. In that paper, the Encrypted Key 
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Exchange (EKE) protocol was proposed as a solution. The problem has since 
been studied extensively [BM93, GLNS93, Gon95, Jab96, Jab97, Luc97, STW95, 
Wu98] , but only two recent papers [BPR00, BMP00] present protocols along with 
proofs of security, and in fact, many of the previously-proposed protocols have 
been shown to be insecure [Ble99, Pat97]. Both of the protocols that were proven 
secure were based on Difhe-Hellman. Specifically, [BPR00] developed a clean and 
elegant protocol based on EKE and proved its security based on Computational 
Diffie-Hellman (CDH), using the random oracle and ideal symmetric encryption 
function assumptions. The protocol in [BMP00] is similar, but with the proof 
of security based on Decisional Diffie-Hellman (DDH), using only the random 
oracle assumption. 


1.1 Overview of Our Results 

We study password-authenticated key exchange protocols based on RSA. We first 
look at the OKE (Open Key Exchange) and protected-OKE protocols of Lucks 
[Luc97] , since they are the first ones that were based on RSA and were claimed 
to have proofs of security. We show that in fact they are insecure. Then we show 
how to modify the OKE protocol to obtain a protocol that we prove to be secure. 
This new protocol requires only 4 moves, and only one pub lie- key operation (i.e., 
a modular exponentiation) per side (either encryption or decryption). Thus it is 
efficient enough to be used in practice, e.g., for securing remote user access to a 
server, and is roughly as efficient as the other Diffie-Hellman-based protocols or 
the ssh protocol, all of which require two exponentiations per side. 1 

In this scenario, it is actually useful for the server to store only some verifi- 
cation information for the password (such as a one-way function applied to the 
password) but not the password itself. This provides resilience to server com- 
promise, meaning that an adversary that compromises the server and steals the 
password information is still not able to impersonate a user, unless the adversary 
actually performs a dictionary attack on the verification information. We show 
how to extend our protocol to provide some resilience to server compromise, but 
due to space limitations, we omit the full proof of security for this extended 
protocol. 

The proposals presented in this paper have been presented in informal set- 
tings under the names SNAPI (Secure Network Authentication with Password 
Information) and SNAPI-X. To avoid confusion, we will continue to use those 
names here. 


1.2 Security Model and Definitions 

What does it mean for a password-authenticated key exchange protocol to be 
secure? Informally, it means that the probability that an adversary can success- 
fully authenticate itself is at most negligibly more than that of an adversary 

1 It is difficult to do more than rough comparisons, since modulus size and exponent 
size may vary among the different protocols. 
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who runs a trivial attack of simply iteratively guessing passwords and running 
the authentication protocol (i.e., attempting to login). In SNAPI, we specifically 
show that if the adversary can do non-negligibly better than this trivial attack, 
then one can break RSA [RSA78]. We use the random-oracle model [BR93a] for 
our proofs. While a protocol having a security proof in the random-oracle model 
is certainly less desirable than a protocol having a proof in the standard model 
(using standard cryptographic assumptions) [CGH98], it is certainly preferable 
over a protocol which lacks any proof. Other techniques proven secure in the 
random-oracle model include Optimal Asymmetric Encryption Padding [BR94] 
(used in PKCS #1 v. 2 [Not99]) and Provably Secure Signatures [BR96]. 

For our proofs we use the security model for password-authenticated key ex- 
change from [BMP00], in which the adversary totally controls the network, a 
la [BR93b], and which is based on the multi-party simulatability paradigm as 
described in [Bea91, BCK98, Sho99]. In this paradigm, security is defined us- 
ing an ideal system, which describes the service (of key exchange) that is to be 
provided, and a real system, which describes the world in which the protocol 
participants and adversaries work. The ideal system should be defined such that 
an “ideal world adversary” cannot (by definition) break the security. Then, in- 
tuitively, a proof of security would show that anything an adversary can do in 
the real system can also be done in the ideal system, and thus it would follow 
that the protocol is secure in the real system. 

Although it is not a password-only protocol, we do point out that the (one- 
way) authentication protocol given in Halevi and Krawczyk [HK98] is the first 
password-based authentication protocol to be formally proven secure, with stan- 
dard security assumptions. The proof methods in this paper are significantly 
influenced by their techniques. Boyarsky [Boy99] has recently discussed enhance- 
ments to the protocol of Halevi and Krawczyk to make it secure in the multi-user 
scenario. 

We note that basic shared-secret authentication protocols (e.g., [BR93b]) are 
not secure when the parties share short secrets. However, there is a similarity 
between basic authentication and password-based authentication: both seem to 
be very difficult to get correct, and many protocols have been published for 
both, which have subsequently been broken. This is precisely the reason why we 
emphasize provable security in this paper. 

2 Attack on the RSA Open Key Exchange Protocol 

Interest in developing RSA-based password-authenticated key exchange proto- 
cols has been strong [Luc97, RCW98] ever since Bellovin and Merritt first de- 
scribed the RSA-EKE protocol [BM92], their RSA version of the Encrypted 
Key Exchange protocol. However, the use of RSA in password-only protocols 
has proven to be quite tricky. Many of the RSA-based password-authenticated 
key exchange protocols have been shown to be insecure [Ble99, Pat97] . A differ- 
ent approach from the EKE protocols was used by Lucks [Luc97] to propose an 
RSA-based protocol which has so far resisted attacks. In this section, we present 
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an efficient attack against this RSA-based protocol. In later sections, we modify 
the basic protocol in [Luc97] to obtain an RSA-based password-authenticated 
key exchange protocol that can be proven secure. 

Lucks presented two protocols: the Open Key Exchange (OKE) protocol and 
the protected-OKE protocol, both described in terms of generic encryption func- 
tions with certain properties. When instantiated with RSA, the OKE protocol 
has a problem, as noted by Lucks, which can allow an attacker to recover the 
password. Hence, Lucks modified the basic OKE protocol to create the protected- 
OKE protocol that was supposed to be secure when the encryption function was 
instantiated with RSA. We present the basic steps of the RSA versions of the 
OKE and protected-OKE protocols along with our attack. Details of OKE and 
protected-OKE can be found in [Luc97] . We first describe OKE: 

Step A Alice and Bob agree on a common secret n. Alice in advance generates 
an RSA key pair ((e, N), ( d , AT)). 

Step B Alice chooses a random m and sends (e, N) and m to Bob. 

Step C Bob chooses a random p, and then a random a from Z* N , computes 
p = H(e\N\m\ii\TT) and q = E(a) op and sends p and q to Alice. H is a 
random function with range Z* N , E is the RSA encryption function and o is 
the RSA multiplication operation. 

Step D Alice computes p like Bob, and recovers a by performing an RSA de- 
cryption of qop~ x . 

The remaining authentication and key generation steps are omitted because 
they are not needed for the attack. Lucks noted that there is a problem with this 
scheme because when an attacker can choose (e, N) such that function E may not 
be invertible, E(a) would not be uniformly distributed. Hence some information 
about p will be leaked which would be useful in ruling out candidate values for 
p and 7 r. This lead Lucks to propose protected OKE which changes step C to 
step C' below: 

Step C' Bob chooses a €r Z'tr, but instead of p, Bob chooses 2 values M-i, 
Mo €r Z* N . Bob uses pi = E(pi_ 2 oH' (pi_x)) to compute Mi) M 2 , •••, Pk where 
H' is another random function mapping to Z* N . The value p = H(e\n\m\p,-i\ 
Mo|tt) is computed, and q = E(a ) op is sent to Alice along with the last two 
values fix- 1 and p k ■ 

Lucks reasoned that if E is not invertible then there are at least two choices 
for Pk- 2 , and then for every choice of px -2 there are two choices for m/c-3 
and so on. Thus we expect 2 K choices for i . For suitably large values of K, 
say 80, it would be infeasible for the adversary to evaluate all possible p\ so the 
information leaked about p from q = E(a) o p is of no use to the adversary. 
Unfortunately, RSA protected OKE has a weakness and we present an example 
attack: 

Step 1 The attacker picks e and N such that e is 3, N is a large prime, and 
3 1 IV — 1 and then sends m and (e, N) to Bob. 
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Step 2 Unwittingly, Bob calculates p = H(e\N\m\p-i\po\n) and sends out q, 
Pk-i and p K - 

Step 3 We will now uniquely recover values up to p-2 and pi using some basic 
results from number theory by showing how to recover /q_2 from /q_i and 
Pi. We make a note that we can efficiently find dth roots if d\N — 1 [BS96]. 
We thus decrypt p t = E(ni - 2 o H'(pi-i)) by solving for the three cubic 
roots of pi. Then we multiply each root with (Hfy/q-i)) -1 to get three 
possible solutions for /q_ 2. Of the three possible solutions, only one will 
be a cubic residue. We know apriori that the correct value for pi-2 will 
be a cubic residue because /q_ 2 was formed by encrypting (i.e., cubing): 
Pi - 2 = E(p i -4oH'(p i - 3 )). Of the three possible values, we can identify the 
cubic residue because pi- 2~ s ~ = 1 mod N. We continue to recover the rest 
of the pi values until p\. 

Step 4 po and p- 1 are random values and thus cannot be uniquely recovered 
using Step 3. There will be three possible values for po and for each po value 
there will be three possible values for p-\. Hence there are nine possible (po, 
P- 1) pairs. We will now try to eliminate some candidate passwords from the 
list of possible password for Bob. If the password is guessed correctly and the 
(po, p~ 1) pair is correct then solving for E(a) from q = E(a) op will result 
in an E(a) which is a cubic residue. Conversely, if the solved E(a) is not a 
cubic residue, assuming ( po , p-\) pair is correct, then we know the password 
guess is incorrect. We do not know the correct (po, p~ 1) pair, however, if for 
all 9 pairs the 9 possible solutions for E(a) turn out not to be cubic residues 
then we can eliminate this password guess. 

This will happen with a significant probability and thus we can eliminate 
a significant portion of the possible passwords. The probability for a given 
password that a ( po , p~ 1) pair will be such that the result will be non-cubic 
residue is equivalent to a random number being a non-cubic residue which 
is |. The probability that all 9 (po, p~ 1) pairs result in non-cubic residues 
is (|) which is about 2.5%. 

Step 5 We repeat the above procedure (Step 1 - Step 4) eliminating a constant 
fraction of the remaining passwords in each run, until only one password 
remains. 

It may be tempting to propose blocking this attack by checking for primality 
of N and rejecting the session if N is prime. Although we have described the 
example attack using a prime N to keep the presentation simple, we could have 
done the same steps using a composite N = pq and using the Chinese remainder 
theorem where necessary; we omit the details. The above attack can efficiently 
discover a user’s password after a small number of sessions. One can also try to 
reduce the probability of the attack’s success by requiring e to have only large 
factors. However, this may still allow some leakage and does not rule out other 
attacks. Ad hoc countermeasures are not very satisfactory in password-based 
protocols because every avenue of information leakage has to be blocked. Details 
matter. 
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3 Model 

For our proofs, we use the model defined in [BMP00], which extends the formal 
notion of security for key exchange protocols from Shoup [Sho99] to password- 
authenticated key exchange. We assume the adversary totally controls the net- 
work, a la [BR93b]. 

Briefly, this model is defined using an ideal key exchange system, and a real 
system in which the protocol participants and adversaries work. The ideal system 
will be secure by definition, and the idea is to show that anything an adversary 
can do to our protocol in the real system can also be done in the ideal system, 
and thus it would follow that the protocol is secure in the real system. 


3.1 Ideal System 

We assume there is a set of (honest) users , indexed i = 1,2, — Each user i may 
have several instances j = 1,2,.... Then (i,j) refers to a given user instance. A 
user instance (i,j) is told the identity of its partner, i.e., the user it is supposed 
to connect to (or receive a connection from) . An instance is also told its role in 
the session, i.e., whether it is going to open itself for connection, or whether it 
is going to connect to another instance. 

There is also an adversary that may perform certain operations, and a ring 
master that handles these operations by generating certain random variables 
and enforcing certain global consistency constraints. Some operations result in 
a record being placed in a transcript. 

The ring master keeps track of session keys {R^} that are set up among 
user instances (as will be explained below, the key of an instance is set when 
that instance starts a session). In addition, the ring master has access to a 
random bit string R of some agreed-upon length (this string is not revealed 
to the adversary). We will refer to R as the environment. The purpose of the 
environment is to model information shared by users in higher-level protocols. 

We will denote a password shared between users A and B as 7 r[A, B], 

The adversary may perform the following operations: (1) initialize user op- 
eration with a new user number i and a new identifier ID, as parameters; (2) 
set password with a new user number i, a new identifier ILf , and a password n 
as parameters (modeling the adversary creating his own account); (3) initialize 
user instance with parameters including a user instance its role, and a user 
identifier denoting the partner with whom it wants to connect; (4) terminate user 
instance with a user instance (i,j) as a parameter; (5) test instance password 
with a user instance (i,j) and a password guess 7r as parameters (this query can 
only be asked once per instance and models the adversary guessing a password 
and attempting to authenticate herself); (6) start session with a user instance 
(i,j) as a parameter (modeling the user instance successfully connecting to its 
partner and establishing a random session key; (7) application with a function / 
as parameter, and returning the function / applied to the environment and any 
session keys that have been established (modeling leakage of session key infor- 
mation in a real protocol through the use of the key in, for example, encryptions 
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of messages); (8) implementation, with a comment as parameter (modeling real 
world queries that are not needed in the ideal world). 

For an adversary A* , IdealWorld(A*) is the random variable denoting the 
transcript of the adversary’s operations. 

For a detailed description of the syntax and semantics of the above opera- 
tions, see [BMP00]. 


3.2 Real System 

In the real system, users and user instances are denoted as in the ideal system. 
User instances are defined as state machines with implicit access to the user’s 
ID, PID, and password (i.e., user instance (i,j) is given access to n [IDi, PID,j ] ) . 
User instances also have access to private random inputs (i.e., they may be 
randomized). A user instance starts in some initial state, and may transform 
its state only when it receives a message. At that point it updates its state, 
generates a response message, and reports its status, either continue, accept, or 
reject, with the following meanings: 

— continue: the user instance is prepared to receive another message. 

— accept: the user instance (say (i, jj) is finished and has generated a session 

key Kij. 

— reject: the user instance is finished, but has not generated a session key. 

The adversary may perform the following types of operations: (1) initialize 
user operation as in the ideal system; (2) set password operation as in the ideal 
system; (3) initialize user instance as in the ideal system; (4) deliver message 
with an input message m and a user instance (i,j) as parameters, and returning 
the message output from (i,j) upon receiving m; (5) random oracle with the 
random oracle index i and input value x as parameters, and returning the result 
of applying random oracle Hi to x: (6) application as in the ideal system. 

For an adversary A, RealWorld(A) denotes the transcript of the adversary’s 
operations. 

Again, details of these operations can be found in [BMP00] . 


3.3 Definition of Security 

Our definition of security is the same as the one in [Sho99] for key exchange. It 
requires 

1. completeness: for any real world adversary that faithfully delivers messages 
between two user instances with complimentary roles and identities, both 
user instances accept; and 

2. simulatability: for every efficient real world adversary A, there exists an ef- 
ficient ideal world adversary A* such that RealWorld(A) and IdealWorld(A*) 
are computationally indistinguishable. 
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4 SNAPI 


In this section we will start by presenting the definition of RSA and giving a 
standard and well-accepted version of the RSA security assumption. 2 Then we 
will present the SNAPI and SNAPI-X protocols. 

First we give some preliminary definitions. Let k and £ denote our security 
parameters, where k is the “main” security parameter and can be thought of 
as a general security parameter for hash functions and secret keys (say 128 or 
160 bits), and £ > k can be thought of as a security parameter for RSA or 
discrete-log-type public keys (say 1024 bits). Let {0, 1}* denote the set of finite 
binary strings and {0, l} n the set of binary strings of length n. Let “|” denote the 
concatenation of bit strings in {0, 1}*. A real- valued function e(n) is negligible if 
for every c > 0, there exists a n c > 0 such that e(n) < l/n c for all n > n c . 

The RSA encryption scheme is generally defined as follows: Let key generator 
GE define a family of RSA functions to be (e, d, N ) <— GE(l e ) such that N = 
PQ, where P and Q are prime numbers. Then, the public key is the pair (e, N ) 
where gcd(e, = 1 and the order of the group <j)(N) = (P — 1) • (Q — 1). 

The encryption function E : 7A N —> 7A N is defined by E(x) = x e mod N and 
the decryption function D : Z* N -> Z* N is D{x) = x d mod N, where the secret 
exponent d is chosen such that ed = 1 mod cfi(N). 

The choice of P, Q, and e is generally left to the implementation, although 
it is recommended that P and Q be random large primes with about the same 
bit length (about 1/2 for security parameter £) [IEE98], and for efficiency e is 
often chosen to be a small prime and with a small number of ones in its binary 
representation, such as 3, 17, or 65537. 

For the security of SNAPI, we make explicit requirements on the generation 
of P, Q, and e, which are well within the scope of the general RSA security rec- 
ommendations. Specifically, we require that GE(l e ) chooses two random primes 
P and Q from the range {2^/ 2-1 , . . . ,2^/ 2 } (for convenience, we assume £ is a 
multiple of 2). This implies that 2^ -2 < N <2 ( . We also require that e be a prime 

in the range { 2 f '+ l s 2 e+1 }. Note that this guarantees that gcd(e, cj)(N )) = 1. 

For efficiency in our protocol, a standard value of e for a given security parameter 
£ could be chosen beforehand. This would eliminate the need for a primality test 
by Bob. (An alternative requirement on e would be that e is a prime, e > \f~N 
and ( N mod e) J(N, since this can be checked in (probabilistic) polynomial time, 
and also implies that gcd(e, = 1 [Len84].) 

Given these requirements on GE, we use the following assumption on RSA: 

RSA Security Assumption: Let £ be the security parameter. Let key gener- 
ator GE define a family of RSA functions (i.e., (e, d, N) <— GE(l e )). For any 
probabilistic polynomial-time algorithm A, Pr[« e = w mod N : ( e,d,N ) <— 
GE( 1^); w Gr {0, 1 Y\ u <— A( l e , w, e, N )] is negligible. 


2 The security of the SNAPI protocol can actually be proven under a slightly more 
general security assumption. Details are omitted. 
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4.1 The Protocol 

Before the SNAPI protocol starts, two players agree on a common password 
7 t £ P. Let A and B be the identities of the two players, with A playing the role 
of Alice, and B playing the role of Bob. From this point on, we will refer to A 
as Alice and B as Bob, except when we must explicitly use their identities. 

We assume that Alice has chosen an RSA key pair ((e, N), ( d,N )). In gen- 
eral, Alice would most likely use the same key pair in many sessions, although 
for perfect forward secrecy, Alice would need to choose a new pair in each ses- 
sion. That is, if Adv discovers the decryption key then Adv can determine all 
session keys obtained in sessions using that key pair. Obviously, some tradeoffs 
of security versus efficiency could be performed. Alternatively, the two parties 
could obtain perfect forward secrecy by computing the session key with a Difhe- 
Hellman key exchange [DH76] using, for instance, the m and p values. This, 
however, would require the Difhe-Hellman assumption for security, along with 
the RSA assumption. For simplicity, we will assume Alice uses the same encryp- 
tion/decryption pair for each session, although if Adv impersonates Alice, Adv 
could use a different one. 

Define hash functions h, h', h" : {0, 1}* — > {0, l} fc and H : {0, 1}* — > {0, l} 11 
(where rj > £+k). We will assume that h, h\ h" , and H are independent random 
functions. Let Sm = {p ■ P < 2^ — (2 V mod N ) and gcd(p, N) = 1}. 

The protocol is shown in Figure 1. Alice and Bob exchange random values, 
and Alice also gives her public key to Bob. They both compute hashes of all of 
these values, plus the password. Then Bob encrypts a random value a, multiplies 
it by the hash, and sends it to Alice. Alice can divide the received value by the 
hash and decrypt the result (using her private key) to obtain a. This value a can 
be used as a “long” secret for authentication. The idea of why this works is that 
even if Bob computes hashes corresponding to other passwords, Bob cannot find 
another value a ’ whose encryption times the other hash would equal the value 
sent to Alice, since Bob does not have the private key. 3 

Theorem 1 The SNAPI protocol is a secure password- authenticated key ex- 
change protocol under the RSA assumption and the random oracle model. 

Proof in appendix. 

5 SNAPI-X 

We now present a protocol for password-only authentication that is “weakly” 
resilient to server compromise. 4 

Let g be a generator of a cyclic group li of size w superpolynomial in k in 
which the Difhe-Hellman problem is hard. In the SNAPI-X protocol, we assume 

3 Naturally, proving that this is the case is much more difficult. 

4 By “weakly,” we mean that our protocol can be proven secure assuming that once 
the adversary has corrupted the server it does not actually impersonate the server 
to a real client, perhaps because it is unable to do network address spoofing. 
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Alice (A) Step 1: Choose m €r {0, \} k , and send (A, to, (A, e)) to Bob. 
Bob (B) Step 2: If m £ {0, l} k , N [2 e ~ 2 ,2% e ( 2 l , 2 e+1 ], 
or e is not prime, then reject, 


1. Choose p €r {0, l} k and a £r 1A n . 

2. Compute p = H(N\e\m\p\A\B\-K). 

3. If p 0 Sn then set q = a, 

Else set q = pa e mod N. 

4. Send (p, q) to Alice. 

Alice (A) Step 3: If p {0, l} k or gcd (q,N) ^ 1, then reject, 

Else 

1. Compute p = H(IV|e|m|p|A|B|7r). 

2. If p 0 Sn then reject, 

Else, set a = ( q/p) d mod N and 
send r = /i(Ai|e|m| ( u|A|B|q'|a) to Bob. 

Bob ( B ) Step 4: If p 0 Sn or r ^ h(N\e\rri\p,\A\B\q\a), then reject, 
Else, send t = ti (N\e\m\p,\A\B\q\a) to Alice, 
set K = h"(N\e\m\p\A\B\q\a), and accept. 

Alice (A) Step 5: If t ti (N\e\m\p\A\B\q\a), then reject, 

Else set K = h"(iVje|TO|p|A|.B|<j'|a) and accept. 


Fig. 1. SNAPI Protocol 


there is an initialization in which a client with identity B (whom we will refer 
to as Bob) chooses a password n £ P, computes x = H'(A\B\n) (where A 
is the identity of the server, whom we will refer to as Alice) and sends Alice 
X = g x , which we call the password verifier. Alice generates an RSA key pair 
((e,N),(d,N)). After the initialization Bob only needs to remember n. As in 
SNAPI, we assume that Alice has chosen an RSA key pair ((e, N), (d, N)). 

Define hash functions h, h! ,h" : {0,1}* — > {0,1}* and H,H' : {0,1}* — > 
{0, 1} V (where r] > l+k). We will assume that h, h', h", H, and H' are indepen- 
dent random functions. Let Sn = {p '■ P < 2 r; — (2 n mod N) and gcd(p, N) = 1}. 

The protocol is shown in Figure 2. Alice and Bob exchange random values, 
and Alice also gives her public key to Bob. They both compute hashes of all 
of these values, plus the password verifier. Then Bob encrypts a random value 
o, multiplies it by the hash, and sends it to Alice. Alice can divide the received 
value by the hash and decrypt the result (using her private key) to obtain a. This 
value a can be used as a “long” secret for authentication. Also, to verify that 
Bob knows the password and not just the password verifier, a type of “Diffie- 
Hellman” exchange is used. Alice generates her Diffie-Hellman values randomly, 
and Bob uses the password verifier along with its discrete log as his value. The 
secret Diffie-Hellman value can thus be computed by both parties and included 
in the authentication value sent by Bob. Due to space restrictions, we omit the 
discussion of the security model and proof, and simply state our theorem. 
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Bob ( B ) Step 0: Send B to Alice. 

Alice (A) Step 1: Retrieve X from password file for B. 

Choose m Er {0, l} fc , and send (A,m, {N,e)) to Bob. 
Bob (B) Step 2: If m 0 {0, 1 } k ,N [2 e ~ 2 , 2% e <£ ( 2 l , 2 e+1 ], 
or e is not prime, then reject, 


1. Set x = H'(A\B\n). 

2. Choose p €r {0, \} k and a Er Z* n - 

3. Compute p = H(N\e\m\p\A\B\g x ). 

4. If p 0 Sn then set q = a, Else set q = pa e mod N. 

5. Send (p, q) to Alice. 

Alice (A) Step 3: If p ^ {0, l} k or gcd {q,N) ^ 1, then reject, Else 

1. Compute p = H(N\e\m\p\A\B\X). 

2. If p 0 Sn then reject, Else, 

(a) Set a = ( q/p) d mod N 

(b) Choose 7 E 

(c) Set r = h(lV|e|m|p|A|B|g|o) and y = g' 1 . 

(d) Send (r, y) to Bob. 

Bob (B) Step 4: If p Sn or r + /i(iV|e|m|p|A|B| 9 |a), then reject, 

Else, 

1. Send t = ti (N\e\m\p\A\B\q\a\y x ) to Alice. 

2. Set K = h"(lVje|m|p|A|.B|<)'|a), and accept. 

Alice (A) Step 5: If t ^ /i/(lV|e|m|p| A|B|g|o|X 7 ), then reject, 

Else set K = h"(./Vje|m|p|A|.B|<7|a) and accept. 


Fig. 2. SNAPI-X Protocol 


Theorem 2 The SNAPI-X protocol is a secure password-only authentication 
and key exchange protocol with weak resilience to server compromise, in the 
random oracle model under the RSA assumption and assuming the hardness of 
Decision Diffie-Hellman. 
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A Security of the SNAPI Protocol 

The completeness requirement follows directly by inspection. Here we prove that 
the simulatability requirement holds. The basic technique is essentially that of 
Shoup [Sho99]. The idea is to create an ideal world adversary A* by running the 
real world adversary A against a simulated real system, which is built on top of 
the underlying ideal system. In particular, A* (i.e., the simulator combined with 
A) will behave in the ideal world just like A behaves in the real world, except 
that idealized session keys will be used in the real world simulation instead of 
the actual session keys computed in the real system. 

Thus our proof consists of constructing a simulator (that is built on top 
of an ideal system) for a real system so that the transcript of an adversary 
attacking the simulator is computationally indistinguishable from the transcript 
of an adversary attacking the real system. Due to space restrictions we are 
only able to sketch the simulation. Details may be found in the full version of 
the paper [MPS]. The difficult part of the simulation is to answer queries to 
user instances and random oracles that are consistent with the ideal world, but 
without a priori knowing the passwords. 

First we deal with the random oracle queries. Note that the user IDs and 
nonces allow the simulator to know which conversations they correspond to. 
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The simulator always answers an H query with the encryption of a known 
value, which helps in the later simulation. 

For an h query, the simulator is able to test whether this corresponds to 
a password test by encrypting the a value in the query, and then for each H 
query corresponding to the same conversation, multiplying the encryption of a 
by the result of that query and testing if the result equals the q value sent in the 
conversation. If for any H query this test is positive, the simulator must make 
a test instance password query to the ringmaster in the ideal world. Naturally 
we must show that the simulator never makes a test instance password query 
unless the adversary is actively involved in the conversation, and in that case the 
simulator makes at most one test instance password query. (We sketch the proofs 
of those below.) If there is no password being tested, or if there is a password 
being tested and it is incorrect, the simulator simply responds with a random 
bit string. Otherwise, the simulator responds with a bit string consistent with 
previous values of the protocol. 

For h' and h" queries, the simulator simply responds with random bit strings, 
and these will be indistinguishable (details omitted). 

Now we deal with user instance queries. In general, they are handled as in 
the actual protocol, except that the q value is set to a random encryption (not 
multiplied by the result of an H query, since the password is not known to the 
simulator), and the authentication values r and t are generated randomly, except 
when a password test by the adversary is detected (by examing the random oracle 
queries). If necessary, the simulator makes a test instance password query to 
the ideal world ringmaster, and responds accordingly. If the simulator detects a 
matching conversation, i.e., an incoming authentication value was sent by a valid 
partner using the same nonces, then the simulator accepts the authentication 
value (even though it cannot actually check it since the simulator does not know 
the password). 

To prove that the adversary never forces the simulator to make a test instance 
password query for a matching conversation, we assume that the adversary does 
and break the RSA assumption as follows. We take a challenge RSA key and 
ciphertext and guess the user A involved in the offending conversation. The 
simulator sends the challenge RSA key when simulating user A, and for any 
user instance in a conversation with A sends q equal to a random encryption 
multiplied by the challenge ciphertext. Then for any random oracle query that 
tests a password, one can compute the decryption of the ciphertext (using the 
fact that the output of the H oracle is a value whose decryption is known to the 
simulator). 

To prove that the adversary never forces the simulator to make two test 
instance password queries for a non-matched conversation with an “Alice” user 
instance, we assume that the adversary does and break the RSA assumption 
as follows. We take a challenge RSA key and ciphertext and guess the user A 
involved in the offending conversation. The simulator sends the challenge RSA 
key when simulating user A, and for any H query involving user A, flips a coin 
to decide whether to set the output to the encryption of a known value, or the 
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encryption of a known value multiplied by the challenge ciphertext. If two h or 
h! queries are made along with two H queries such that two password tests must 
be performed, then these correspond to the same q value sent to user A and thus 
can be related by an equation which allows one to solve for the decryption of 
the challenge ciphertext, as long as exactly one of the H query outputs included 
the challenge ciphertext. This happens with probability 



Round-Efficient Conference Key Agreement 
Protocols with Provable Security* 


Wen-Guey Tzeng and Zhi-Jia Tzeng 


Department of Computer and Information Science 
National Chiao Tung University 
Hsinchu, Taiwan 30050 
{tzeng , z j tzeng}@cis . nctu . edu . tw 


Abstract. A conference key protocol allows a group of participants to 
establish a secret communication (conference) key so that all their com- 
munications thereafter are protected by the key. In this paper we consider 
the distributed conference key (conference key agreement) protocol. We 
present two round-efficient conference key agreement protocols, which 
achieve the optimum in terms of the number of rounds. Our protocols 
are secure against both passive and active adversaries under the random 
oracle model. They release no useful information to passive adversaries 
and achieve fault tolerance against any coalition of malicious partici- 
pants. We achieve the optimal round by transferring an interactive proof 
system to a non-interactive version, while preserving its security capa- 
bility. 

1 Introduction 

A conference key protocol allows a group of participants to establish a secret 
communication (conference) key so that all their communications thereafter are 
protected by the key. In this paper we consider the distributed conference key 
(conference key agreement) protocol under the broadcast channel model in which 
sent messages are guaranteed to be received intact. Nevertheless, the attacker 
can inject false messages. 

For security, we consider both active and passive adversaries. A passive adver- 
sary, eavesdropper, tries to learn information by listening to the communication 
of the participants. There are two types of active adversaries: impersonators 
and malicious participants. An impersonator tries to impersonate as a legal par- 
ticipant. A malicious participant tries to disrupt conference key establishment 
among honest participants. 

Our protocols focus on round efficiency. We would like to have a conference 
key agreement protocol by which the participants exchange messages with as 
few rounds as possible even when active adversaries are present. In this paper 
we present two round-efficient conference key agreement protocols that achieve 
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the optimum in terms of the number of rounds, that is, they use only one round 
even in the worst scenario. After each participant sends messages to and receives 
messages from other participants, they go on to compute the conference key no 
matter whether the attack of active adversaries occurs. Our protocols are secure 
against both passive and active adversaries under the random oracle model. They 
release no useful information to passive adversaries and achieve fault tolerance 
against any coalition of malicious participants. We achieve the optimal round 
by transferring an interactive proof system to a non-interactive version, while 
preserving its security capability. 


1.1 Related Work 

Computing a conference key among a set of participants is a special case of 
secure multiparty computation in which a group of people, who each possesses 
a private input ki, computes a function f(ki, & 2 , • • • ) securely [2]. Therefore, it 
is possible to have a secure conference key agreement protocol by the generic 
construction for secure multiparty computation. Nevertheless, it is an overkill. 
Furthermore, there are some distinct features for the conference key agreement 
protocol. First, a cheater’s goal in conference key agreement is to disrupt con- 
ference key establishment among the set of honest participants, which is quite 
different from that in secure multiparty computation. Second, since a cheater’s 
secret is not a necessity in conference key agreement, the cheater can be simply 
excluded when detected. On the other hand, in secure multiparty computation 
when a cheater is found, the cheater’s secret Xi, which is shared into others, is 
recovered by honest participants so that evaluation can proceed. 

There have been intensive research on conference key protocols. Conference 
key distribution protocols (with a chairman) have been studied in [3,9,10,19]. 
Pre-distributed conference key protocols have been studied in [4,5,22]. And 
conference key agreement protocols have been studied in [17,19,20,27,29,28]. 
Information-theoretically secure conference key protocols have been studied 
in [5,12]. Most proposed protocols except [18,28] do not have the capability 
of fault-tolerance so that a malicious participant can easily mislead other par- 
ticipants to compute different conference keys so that the honest participants 
cannot confer correctly. 

Burmester and Desmedt [7] proposed a round-efficient (two-round) protocol 
(Protocol 3) with /(fci, fa, ■ ■ ■ , k n ) = g k ife+A^fcsH bfcrAi mo d p _ i n the modified 
Protocol 7 (authenticated key distribution), they used an interactive proof for 
authenticating sent messages to show that the protocol is secure against imper- 
sonators. However, both protocols cannot withstand the attack of malicious par- 
ticipants. The fault-tolerant conference key agreement protocol of Klein et al. [18] 
is quite inefficient and its security is not rigidly proved. In [28], when malicious 
participants are detected, the protocol restarts for the remained participants. 
It can may be that a participant behaves maliciously in a new round and thus 
the protocol has to restart again. So, the protocols have to run O(m) times for 
m malicious participants in the worst case. This may be inefficient since the 
number of rounds may entail main communication cost, 
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2 Preliminaries 

A user in a conference key system is a probabilistic polynomial-time Turing 
machine. Each user £/» has a secret key x, and a corresponding public key y t . 
The system has a public directory of recording the system’s public parameters 
and each user’s public key that can be accessed by every one. All users are 
connected by a broadcast network such that the messages sent on the network 
cannot be altered, blocked or delayed. For simplicity, we assume that the network 
is synchronous, that is, for a given phase of a round, all users send their messages 
to other recipients (or receive messages from others senders) simultaneously. No 
private channel exists between users. A group of users who wants to establish a 
conference key is called the set of participants. 

We consider three types of adversaries. They are all probabilistic polynomial- 
time Turing machines. An eavesdropper, who is not a participant, listens to the 
broadcast channel and tries to learn the conference key established by the hon- 
est participants. An impersonator, who is an outsider, tries to impersonate as 
a legal participant. A malicious participant, who is a participant, tries to dis- 
rupt establishment of a common conference key among the honest participants. 
A malicious participant mainly sends ’’malicious” messages to fool an honest 
participant to believe that he has computed the same conference key as that of 
other honest participants, while he does not indeed. We do not care about the 
possibility that two or more cheating participants collaborate and result in one 
of them or other malicious participants not being able to compute the key. For 
example, a malicious participant C/j sends ’’malicious” messages, but all honest 
participants compute the same key. Another malicious participant Uj, though 
receiving an incorrect key, still claims that he has had received the correct key. 
We tolerate this case since this type of collaboration between malicious U and 
Uj do no harm to the honest participants. We do not restrict the number of 
malicious participants in a conference. 

A conference key agreement protocol should meet the following requirements: 

— Authentication: an outsider cannot impersonate as a legal participant. 

— Correctness: the set of honest participants who follow the protocol computes 
a common conference key. 

- Fairness: the conference key should be determined unbiasedly by all honest 
participants together. 

- Fault tolerance: no coalition of malicious participants can spoil the confer- 
ence by making honest participants compute different conference keys. 

— Privacy: an eavesdropper can not get any information about the conference 
key established by the honest participants. 

We consider two types of communication cost: 

- Message efficiency: the total number of messages sent by the participants for 
completing the protocol. This includes the extra messages for dealing with 
malicious participants. 
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— Round efficiency: the total number of rounds executed by the participant for 
completing the protocol. This includes the extra rounds for dealing with the 
malicious participants. 

In security analysis we use the random oracle model [1] , which assumes that a 
cryptographically strong (collision-free) hash function is a random function. Al- 
though this is only a security argument [8], it is a suitable paradigm for analyzing 
our first protocol. 

3 Basic Techniques 

We use the following setting for the system and users throughout the rest of the 
paper. The system has public parameters: 

— p: a large prime number that is 2q + 1, where q is a large prime also. 

— g: a generator for the subgroup G q of all quadratic residues in Z*. 

Each user £7) has two parameters: 

— Private parameter xy. a number in Z* — {1}. 

— Public parameter j/j = g Xi mod p. Since q is a prime number, y, is a generator 
for G q . 

Let x e R S denote that x is chosen from the set S uniformly and indepen- 
dently and [a..b] denote the set of numbers in between a and b, where a < b. In 
order to simplify presentation, we omit the or complexity measure n from the 
related parameters, unless necessary. For example, when we say a probability 
e is negligible, we mean that for any positive constant c, e = e(n) < 1 /n c for 
large enough n. A probability 6 is overwhelming if 5 = 1 — e for some negligible 
probability e. 

The discrete logarithm (DL) problem is to compute x = log fy y (mod p) from 
given ( y,g,p ), where p = 2q + 1, g is a generator of G q and y Gr G q . The 
decisional Diffie-Hellman (DDH) problem is to distinguish the distributions 

G?i mod p, g r 2 modp) and (gi,g 2 ,ui,U 2 ) 

with a non- negligible probability, where gi and g 2 are generators of G q , r Gr Z q 
and ui,U 2 Gr G q . We assume that the DL and DDH problems are compu- 
tationally infeasible. They are called the DL assumption (DLA) and the DDH 
assumption (DDH A). In particular, any probabilistic polynomial-time algorithm 
cannot solve even a non-negligible fraction of input of the DL problem. 

The main building block of our conference key agreement protocols is a pro- 
tocol of sending a (random) secret to the other participants such that any one 
can verify that all participants receive the same secret. We call this as the pro- 
tocol for a publicly verifiable secret (PVS). Let t be the security parameter of 
the system. If participant [7* wants to send the secret (subkey) g ki mod p to all 
other participants in a publicly verifiable way, it broadcasts 

u i,j = Pj* m °d P, 1 < j < n, 
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where fc, Gr Z q . Another participant Uj can obtain the shared secret g ki mod p 
with Ui by computing mod p. The PVS proof system shows that 

- log yi Uj, 1 = log y2 Ui ,2 = • • • = log yn u it n (mod p), and 

- Ui knows that the exponent k t = log y u ltj mod p, 1 < j < n. 

with error probability 1/2*. We can make the error probability inverse exponen- 
tially small by repeating the system for a polynomial number of times. The PVS 
proof system is: 

1. P — > V: bj = Uj mod p, 1 < j < n, where r Gr Z q \ 

2 ,V^P:cGr [0..2* - 1]; 

3. P —> V: w = r — chi mod q\ 

4. V checks whether bj = yj ■ mod p, 1 < j < n. 

Theorem 1. Assume the DLA. The PVS proof system above is complete, sound 
and zero-knowledge. 

Proof. The completeness property can be verified easily. For soundness, if 
a probabilistic polynomial-time adversary A can impersonate P with a non- 
negligible probability e, the verifier V and A together can solve the discrete 
logarithm problem with an overwhelming probability. Since the probability e is 
non- negligible, one can use A to generate two responses w\ = r — ci k, mod q and 
W 2 = r — c^ki mod q for the same commitment bj ' s and two different challenges 
ci and C2- One can compute Ufs secret key ki = (wi — W 2 )(c 2 — ci) -1 mod q. 
Furthermore, if the prover does not know ki, he can pass a challenge by the 
verifier V with the probability of 1/2*. 

To simulate the view of a verifier V* , the simulator S first selects c Gr 
[0..2* — 1] and w Gr Z q and computes bj = y'f ■ vf 3 mod p, 1 < j < n. S then sim- 
ulates V*(6i, 62, • • • , b n ) to get d . If c = c' , then S outputs (61, 62, • • • , b n , c , to). 
Otherwise, S resets V* to its original state before this round of simulation and 
starts the next round of simulation. The output of S and the view of V* are 
statistically indistinguishable. □ 

We need the proof system to be non-interactive. By the standard tech- 
nique [14], we replace V with a cryptographically strong (collision-resistant) 
hash function Tt for generating the challenge c. In the non-interactive paradigm, 
the interactive version of a proof system need only be zero-knowledge for the 
honest verifier. Our PVS proof system is honest-verifier zero-knowledge even 
when c e Z q . Therefore, we choose Tt : {0, 1}* — > {0, 1 } ^ los q . 

The message (c, ui) sent by U t for non-interactive PVS satisfies 

c = nigWviW ■ ■ ■ IlynIKill • • • |^||2/fii|,ill • • -II C<„) 

where 1 1 is the concatenation operator of strings. U t can compute (c, w) by choos- 
ing r Gr Z q , computing c = H(g\\y!\\ ■ ■ ■ \\y n \\u iA \\ ■ ■ ■ \\ui, n \\y{\\ ■ ■ ■ \\yQ , and 
setting w = r — chi. We shall use NIPVS(g, y%,y 2 , ■ ■ ■ , y n , 2, •• • , Uj, n ) 
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to denote the non-interactive proof system described above. By verifying 
l 0 g :(/1 'u, ; i = logy 2 mfc = • • • = logy^ u j , n , one can be assured that all partic- 
ipants receive the same secret value g ki . The proof system releases no useful 
information assuming the DLA and the random oracle model. 

The integral APVS (PVS with authentication) proof system achieves public 
verification of a secret and authentication of an identity simultaneously. For 
APVS, the participant Ui broadcasts 

u i,j = Vj i m °d Pi 1 < j < n, 

to other participants, where ft, €r Z q . Given the broadcast messages, the APVS 
proof system is to show that 

- logy! it*, 1 = logy 2 Ui , 2 = • • • = logy!! tq, n (mod p), 

- Ui knows that the exponent k t = logy . U{j mod p , 1 < j < n, and 

- Ui knows that the secret x t = log g y, mod p. 

The APVS proof system with input (g,yi,y2, ■ ■ ■ , i/n, Ui,2, ■ ■ ■ , Ui,n ) is: 

1. P —> V: bj = yPg r * mod p, 1 < j < n; 

2. V —> P: c £ [0..2* — 1]; 

3. P —> V: Wi = ri — chi mod q, W2 = r 2 — cXi mod q\ 

4. V checks bj = yj 1 g W2 (t/jWjj) c mod p, 1 < j < n. 

Theorem 2. Assume the DLA. The APVS proof system is complete, sound and 
zero-knowledge. 

Proof. The completeness and soundness properties are easily checked. 

For zero-knowledge, the simulator S simulates P’s interaction with any ver- 
ifier V*. S randomly selects c [0..2* — 1], and w.'i , W2 &r Z q and computes 
bj = yj 1 g W2 {yiUij) c mod p, 1 < j < n. S then simulates V*(bi,b2, ■ ■ ■ ,b n ) to 
get r'. If c = d, then S outputs (61, 62, • • • , 6 n , c , w-i^wf). Otherwise, S resets V* 
to its original state before this round of simulation. We can see that the output 
of S and V*’s view with P are statistically indistinguishable. □ 

Again, we can make the proof system non-interactive by using a cryptograph- 
ically strong hash function Tt in place of V. Let 

NIAPVS(g, yi, 2/2, • • • = (wi,w 2 ,c) 

denote the non-interactive APVS proof system such that 

c = 'H{g\\y l \\---\\y n |k,r 1 1 • • • | k„ 1 1 i) c | I • • • \\yT9 w ' {vmA% 

where c,w i,w 2 Gr Z q . 

We now present two proofs for the Diffie-Hellman and equality properties, 
respectively. The proof system DH for the Diffie-Hellman property is to show 
that an input has the form (g,u,v, z)=(g, g a , g b , g ab ) and the prover knows a 
and b. The proof system EQ for the equality property is to show that an input 
has the form (g, u, y, v)=(g, g a , y, y a ) and the prover knows a. 
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The DH proof system is as follows. 

1 . P —> V: ai = g ri , a? = u ri , 61 = g r 2 , &2 = 1P 2 , where n , r2 Gr Z q , 

2. V^P:cG R [0..2* - 1]; 

3. P — > V: wi = r\ + be mod q, W2 = T2 + ac mod g; 

4. V checks g Wl = a\v c ,u Wl = a,2(z) c ,g W2 = b\u c ,v w 2 = b2(z) c . 


Theorem 3. The DP proof system is complete, sound and zero-knowledge. 

Proof. The system’s completeness follows easily. For soundness, if an adver- 
sary, who does not know a and b, can impersonate the prover with a non- 
negligible probability, it can answer two different challenges c and d of the 
same commitment (01,02,61,62)) corresponding to ri and 7*2, from the veri- 
fier. Let the adversary give the answers (101,102) and (w' 1 ,w' 2 ). We can compute 
b = ( ioi — w[)/(c — c') -1 mod q and a = (w 2 — w' 2 )/{c — c') -1 mod q. 

For zero- knowledge, the simulator S simulates P’s interaction with any ver- 
ifier V*. S randomly selects c Gr [0..2* — 1], and 101,102 Gr Z q and computes 
01 = g Wl /v c , «2 = u W 2 /z c , 61 = g W 2 /u c , and 62 = v W 2 /z c . S then simulates 
^*(01,02,61,62) to get d. If c = d, S outputs (01,02,61,62,0, 101,102); other- 
wise, S resets V* to its original state before this round of simulation. We can see 
that the output of S and F*’s view with P are statistically indistinguishable. □ 

The EQ proof system is: 

1. P — > V: 61 = g r mod p , 62 = y r mod p, where r Gr Z q \ 

2. V —> P: c Gr [0..2* - lj; 

3. P ^ V: w = r — ca mod q-, 

4. V checks 61 = g w u c mod p and 62 = y w v c mod p. 


Theorem 4. The EQ proof system is complete, sound and zero-knowledge [ 11 ]. 

We use NIDH and NIEQ to denote the non-interactive versions of the DH 
and EQ proof systems, respectively. 


4 Our Round-Efficient Protocols 

We present two round-efficient conference key protocols and show their security. 
The first one uses the PVS protocol for verifying the sender’s subkey and digital 
signature for sender’s identity. The second protocol uses the integral APVS for 
both subkey verification and identity authentication. 

Since our protocols are non-interactive, we need use a session token ST, which 
is new for each conference session, in the hash functions to prevent the replay 
attack. Thus, in our protocols each collision-free hash function H(-) is computed 
as Tt(ST, •). 
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4.1 Protocol Conf-1 

The protocol starts with that an initiator calls for a conference for a set U 
of participants and sets the session token ST. Without loss of generality, let 
U = {U U U 2 ,... , U n } be the initial participant set. Each participant V,, 1 < 
i < n, knows U. Let H be a collision-resistant hashing function, which is used 
in the modified ElGamal signature scheme. In the protocol, each participant 
Ui first selects a random number k n and computes his subkey g ki mod p. This 
subkey is conveyed to the other participants by sending Uij = y- i mod p. 1 < 
j < n. Ui sends NIP VS ( 5 , 2 / 1 , 2/2 , - - - ,y n , u -;,i , • • • , for convincing other 

participants that all other participants receive the same subkey. Ui also sends 
the signature (rj,Sj) of his subkey for authentication. After receiving messages 
from other participants, Ui checks whether the participant Uj.j / i, sends the 
correct messages and authenticates ffy’s identity. If not, U t excludes Uj from the 
set of honest participants. Then, Ui computes the conference key according to 
the set of honest participants. Our protocol is as follows. 

1. Message sending: each participant Ui does the following: 

(a) Randomly select ki,Ri G Z q . 

(b) Compute and broadcast = y-’ mod p. 1 < j < n, NIPVS(g, 
2/i, 2/2, •••, y n , up 1, «i,2, •••, Ui, n ), n = g Ri modp and Si = 
Rg 1 (H(ST, n,g ki ) - nxi) mod q. 

2. Conference key computing: each participant Ui does the following: 

(a) Fault detection and exclusion: for each j ^ i, 

— Compute Zj = (uj t ,) x ‘ mod p and verify whether fry, Sj) is the sig- 
nature of Zj. 

- Verify NIPVS^, t/i, y 2 , ■ ■ ■ , y n , u jt i, u jt2 , ■ ■ ■ , u jtn ). 

If both checkings are correct, add Uj to its honest participant set U t . 

(b) Compute the conference key: assume that C/j’s honest participant set U t 
is {t/ n , U-i 2 , . . . , Ui rn }. Ui computes the conference key 

K = (ui lt iUi 2i i ■ ■ ■ Ui m ,i ) x * mod p 
= g ki i+ k *z+-+ k *m mod p. 

Note that only legal participants can verify whether (r,,s,) is the signature 
of the subkey z%- This property is crucial to the proof of releasing no useful 
information in the random oracle model. 


4.2 Security Analysis of Conf-1 

We now show security of protocol Conf- 1 on authentication, correctness, fair- 
ness, fault tolerance against malicious participants, and releasing no useful in- 
formation. 

We first show that all honest participants who follow the protocol compute 
the same conference key. The conference key is determined by all honest partic- 
ipant unbiasedly. 
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Theorem 5 (Fault tolerance, correctness and fairness). All honest par- 
ticipants who follow the protocol compute a common conference key with an 
overwhelming probability no matter how many participants are malicious. Fur- 
thermore, the common conference key is determined by the honest participants 
unbias edly. 

Proof. For fault tolerance, we show two things. First, any malicious participant 
Ui who tries to cheat another participant Uj to accept a different subkey will be 
excluded by all honest participants. Second, any honest participant will not be 
excluded by any other honest participant. 

Since we assume the broadcast channel, every participant receives the same 
messages. If a malicious participant Ui sends ( y\,yi , . . . , y n , ■ ■ ■ , 

such that not all \og y ugj , 1 < j < n, are equal, the probability that he can 
construct NIPVS(yi, t/ 2 , • • • ,y n , «»,i, «i, 2 , • • • , «*,«) is at most T/q, which is neg- 
ligible, where T is Ufs runtime. Thus, all honest participants will exclude the 
malicious participant with an overwhelming probability. We can easily check 
that an honest participant who follows the protocol shall be accepted by other 
honest participants as ’’honest”. Therefore, each honest participant computes 
the same honest participant set with an overwhelming probability. 

For correctness, since each honest participant Ui computes the same partic- 
ipant set, Ui uses his private key xt to compute the subkeys zj = g kj mod p of 
all honest participants. Thus, they compute the same conference key with an 
overwhelming probability. 

For fairness, since the common conference key is g kl+k2 ^ vkn mod p, it is 
unbiased if any of fc,, 1 < i < n, is selected over Z q uniformly and independently. 
Therefore, no participants can bias the conference key as long as one of the 
honest participants behaves properly. □ 

In our protocol, we let each participant sign his broadcast subkey by the 
modified ElGamal signature scheme, which is existentially unforgeable against 
the chosen ciphertext attack under the random oracle model [23]. No outsider 
can impersonate as a legal participant with a non-negligible probability under 
the chosen-ciphertext attack in the random oracle model. 

Theorem 6 (Authentication). Assume the random oracle model. If an out- 
sider A can impersonate as a legal participant Ui to V with a non-negligible 
probability, A and V together can extract Ui ’s secret Xi from A with an over- 
whelming probability. 

Proof. Since the modified ElGamal signature scheme is secure against existen- 
tial forgery under the chosen ciphertext attack, successful impersonation in the 
interactive system with a non-negligible probability would lead to computing 
C/j’s secret x. t with an overwhelming probability. The use of session token ST 
makes our non-interactive protocol secure against the replay attack. Note that 
without special care, the replay attack is inevitable in non-interactive systems. 
Therefore, our protocol is authenticated under the random oracle model. □ 
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Since we replace the verifier’s challenge with a cryptographically strong hash 
function, the protocol is not zero-knowledge. But, it releases no useful informa- 
tion that can be used in the protocol under the random oracle model. 

Theorem 7 (No useful information leakage). Assume the DLA and the 

random oracle model. Protocol Conf-1 releases no useful information that can 
be used in the protocol. 

Proof. Even though the PVS protocol is complete, sound and honest veri- 
fier zero-knowledge, we cannot claim that our protocol release no useful in- 
formation directly since Ui sends a signature ( ) in addition. The simu- 
lator S should handle this case. To simulate Uf s output, 1 < i < n, S se- 
lects kt e Z q randomly and computes iq.j = y ki mod p, 1 < j < n, and 
NIPVS(g, 2/i, 3/2, - - - , Vn, ttqt, tq,2, ■ ■ ■ , «,,«)• S then computes a forged signature 
(r-, s') of U t for the hash value h, i.e., r' = g a y\ mod p, .s' = —r'6~' mod q and 
h = — riab~ l mod p for a Gr Z q and b Z*. Since H is assumed to be a 
random function under the random oracle model, we let H(ST,r' i , g ki ) = h. Fi- 
nally, S outputs NIPVS((/,t/i,t/2, • • • ,y n ,Ui t i,Ui t 2, ■ ■ ■ 

r', s'), together with a partial description of the random oracle H, i.e., setting 
H(ST,r l i ,g k >) = h. 

We now compare the output distributions of £7* and S. For the out- 
put of Ui, since h is random, (ft-, s-j is independent of i, 'u,;.2- ■ ■ ■ , w.r„, 
NIPVS((j, 2/1, 2/2, . . . , y n , Uj i , u.jy. . . . , >H, n )) and uniformly distributed over G q x 
Z q that satisfies g h = y ri r s i i (mod p). For the output of S, the distribution of 
■ ■ ■ ,Ui <n , NIPVS(<7, 2/1 , 2/2, • • • ,y n ,Ui t i,Ui t 2, ■ ■ ■ is the same as 

that of Ui. The distribution of (r', .s') is also uniformly distributed over G q x Z q 
that satisfies g h = y r i r' A i (mod p) since a and b are randomly chosen to fit the 
equation. Thus, the output distribution of S is equal to that of U. t under the ran- 
dom oracle model. Therefore, our protocol releases no useful information under 
the random oracle model. □ 


4.3 Protocol Conf-2 

In this protocol, identity authentication is achieved by NIAPVS. The protocol 
is as follows. 

1. Message sending: each participant Ui does the following: 

(a) Randomly select ki e Z q . 

(b) Compute and broadcast u^j = y .* mod p, 1 < j < n, NIAPVS (g, y\. 2/2, 

2. Conference key computing: each participant Ui does the following: 

(a) Fault detection and exclusion: for each j ^ i, Verify NIAPVS (5, 2/1, 
j/ 2 ,. . . , y n , Ujp, Uj- 2 , . . . , Uj. n ). If the verification holds, add Uj to its 
honest participant set Ui. 
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(b) Compute the conference key: assume that Ufs honest participant set U, 
is {f/ij, Ui 2 , ... , Ui m }. XJi computes the conference key 

K = (uii t i u i 2:i ■ ■ ■ u i m ,i) Xi modp 

= gkii*lH a +-+k im moc Jp. 


4.4 Security Analysis of Conf-2 

The security analysis of NIAPVS-based Conf-2 is similar to that of NIPVS- 
based Conf-1. 

Theorem 8. Assume the DLA and the random oracle model. Protocol Conf-2 
is correct, fair, fault-tolerant, and authenticated, and releases no useful informa- 
tion that can be used in the protocol. 

Proof. The only difference between Conf-1 and Conf-2 is that Conf-1 uses 
digital signature to authenticate participants, while Conf-2 uses NIAPVS to 
authenticate participants. Since Theorem 2 shows that participant’s identity is 
authenticated, Conf-2 meets the security requirements. □ 


5 A Message-Efficient Protocol 

The main protocol in [7] is message-efficient. If all the participants are honest, 
they broadcast 0(n) messages totally. But, the protocol is not fault tolerant, 
that is, it cannot withstand the attack of malicious participants. We can apply 
the technique of publicly verifiable secrets to obtain a message-efficient, but 
not round-efficient, conference key agreement protocol that meets the security 
requirements. The protocols ’s message complexity is 0(n) in the best case and 
0(n 1 2 3 ) in the worst case. It seems that there is no easy way to augment the 
protocol to be both message- and round-efficient. The modified protocol is as 
follows. 

1. Message sending: each participant Z7, does the following: 

(a) Randomly select fc, £ Z q . 

(b) Compute and broadcast Zi = g kiXi mod p, ti = g ki mod p and 
NIDH(<j, y-i, ti,Zi). 

2. Message sending and fault detection: each participant £/» does the fol- 
lowing: 

(a) For each j.j ^ i, check whether NIDH(p, yj.tj.Zj) is valid. If yes, add 
Uj to his honest participant set Hi. 

(b) Let Ui={Ui, U 2 , • • • , U m } and -Z^^i+rmodr^/zci-imodra) m °d p. Com- 
pute and broadcast = Z, k ’ x ' mod p and NIEQ(g, Zi, Z % , Yi). 

3. Conference key computing: each participant [/» does the following: 

(a) Fault detection and exclusion: for each j / i, validate NIEQ(g, zj, Zj, 
Yj). If the validation does not hold, remove Uj from its honest participant 
set Ui and restart the protocol with the new honest participant set. 
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(b) Compute the conference key: assume that Ufs honest participant set U t 
is {Ui, U ‘2 . . . . , Um}. Ui computes the conference key 

K = ■ ■ ■ Y^ x Yt 2 Yt 3 ■ ■ ■ Vi -2 mod p 

= £ ,*l^fclfc 2 +X 2 X 3 fc2fc3+-+X n X 1 fc„fc 1 mod p 


Theorem 9. Assume the DDHA and the random oracle model. The protocol 
above is correct and secure with authentication, fault tolerance, and leaking no 
useful information. 

Proof. The correctness follows from [7], while the security follows from the 
previous two round-efficient conference key agreement protocols. □ 


6 Conclusion 

We have presented two round-efficient conference key agreement protocols. The 
protocols meet the security requirements: authentication, correctness, fairness, 
fault tolerance (robustness) and privacy. Their message complexity is 0(n 2 ) for 
n participants. We also modified Burmester and Desmedt’s protocol so that it 
can withstand the attack of malicious participants. 

It would be interesting to find a round-efficient protocol that meets all secu- 
rity requirements and has 0(n) message complexity. 
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